"Umfana owenza iwebhusayithi yethu sele imisele ukhuseleko lweDDoS."
"Sinokhuseleko lwe-DDoS, kutheni le nto indawo yehla?"
"Mangaphi amawaka afuna iQrator?"
Ukuze uphendule ngokufanelekileyo imibuzo enjalo kumthengi / umphathi, kuya kuba kuhle ukwazi ukuba yintoni efihliweyo emva kwegama elithi "ukhuseleko lweDDoS". Ukukhetha iinkonzo zokhuseleko kufana nokukhetha iyeza kugqirha kunokukhetha itafile e-IKEA.
Ndiye ndaxhasa iiwebhusayithi ze-11 iminyaka, ndisinde kumakhulu okuhlaselwa kwiinkonzo endizixhasayo, kwaye ngoku ndiza kukuxelela kancinci malunga nokusebenza kwangaphakathi kokukhusela.
Ukuhlaselwa rhoqo. 350k req iyonke, 52k req esemthethweni
Uhlaselo lokuqala lwavela phantse ngaxeshanye kunye ne-Intanethi. I-DDoS njengento eqhelekileyo iye yasasazeka ukususela ekupheleni kwe-2000s (jonga ).
Ukususela malunga ne-2015-2016, phantse bonke abanikezeli bokusingatha baye bakhuselwa ekuhlaselweni kwe-DDoS, njengoko kuneendawo ezininzi ezivelele kwiindawo ezikhuphisanayo (do whois yi-IP yeendawo eldorado.ru, leroymerlin.ru, tilda.ws, uya kubona amanethiwekhi yabaqhubi bokhuseleko).
Ukuba iminyaka eyi-10-20 eyadlulayo uninzi lohlaselo lunokugxothwa kumncedisi ngokwawo (vavanya iingcebiso zeLenta.ru umlawuli wenkqubo uMaxim Moshkov ukusuka kwiminyaka engama-90: ), kodwa ngoku imisebenzi yokukhusela ibe nzima ngakumbi.
Iindidi zokuhlaselwa kwe-DDoS ukusuka kwindawo yokujonga ukukhetha umqhubi wokukhusela
Ukuhlaselwa kwinqanaba le-L3/L4 (ngokwemodeli ye-OSI)
— Umkhukula we-UDP ovela kwi-botnet (izicelo ezininzi zithunyelwa ngokuthe ngqo kwizixhobo ezisulelekileyo kwinkonzo ehlaselweyo, iiseva zivaliwe ngeshaneli);
-I-DNS/NTP/etc amplification (izicelo ezininzi zithunyelwa kwizixhobo ezosulelekileyo kwi-DNS/NTP/etc, idilesi yomthumeli iyenziwa, ilifu leepakethi eziphendula izicelo zikhukula umjelo womntu ohlaselwayo; le yeyona ndlela ibalaseleyo uhlaselo olukhulu lwenziwa kwi-Intanethi yanamhlanje);
— I-SYN / ACK isikhukula (izicelo ezininzi zokuseka unxibelelwano zithunyelwa kwiiseva ezihlaselweyo, umgca wonxibelelwano uyaphuphuma);
- ukuhlaselwa ngokuqhekeka kwepakethi, i-ping yokufa, i-ping yesikhukula (iGoogle nceda);
- kwaye nangokunjalo.
Olu hlaselo lujolise "ekuvaleni" umjelo womncedisi okanye "ukubulala" amandla ayo okwamkela i-traffic entsha.
Nangona i-SYN / ACK izikhukula kunye nokukhulisa zahluke kakhulu, iinkampani ezininzi zilwa nazo ngokulinganayo. Iingxaki zivela ngokuhlaselwa kwiqela elilandelayo.
Uhlaselo kwi-L7 (umaleko wesicelo)
- Umkhukula we-http (ukuba iwebhusayithi okanye enye i-api ye-http ihlaselwe);
- ukuhlaselwa kweendawo ezisengozini yesayithi (ezo zingenayo i-cache, ezilayisha isayithi kakhulu, njl.).
Injongo kukwenza umncedisi "asebenze nzima", aqhubele phambili "izicelo ezibonakala ngathi ziyinyani" kwaye ushiywe ngaphandle kwezibonelelo zezicelo zangempela.
Nangona kukho olunye uhlaselo, ezi zezona zixhaphakileyo.
Uhlaselo olubi kwinqanaba le-L7 lwenziwa ngendlela ekhethekileyo kwiprojekthi nganye ehlaselwayo.
Kutheni amaqela ama-2?
Ngenxa yokuba baninzi abakwaziyo ukugxotha ukuhlaselwa kakuhle kwinqanaba le-L3 / L4, kodwa mhlawumbi ungathathi ukhuseleko kwinqanaba lesicelo (L7) nonke, okanye basebuthathaka kunezinye iindlela zokujongana nazo.
Ngubani okwimarike yokhuseleko yeDDoS
(uluvo lwam lobuqu)
Ukukhuselwa kwinqanaba le-L3 / L4
Ukugxotha ukuhlaselwa ngokwandisa ("ukuvalwa" kwesiteshi somncedisi), kukho iziteshi ezibanzi ezaneleyo (ezininzi zeenkonzo zokukhusela zidibanisa kuninzi lwababoneleli be-backbone enkulu eRashiya kwaye baneziteshi ezinomthamo wethiyori ngaphezu kwe-1 Tbit). Ungalibali ukuba uhlaselo lokukhulisa olunqabileyo luhlala ixesha elide kuneyure. Ukuba u-Spamhaus kwaye wonke umntu akakuthandi, ewe, banokuzama ukuvala iziteshi zakho iintsuku eziliqela, nangona umngcipheko wokusinda okuqhubekayo kwe-botnet yehlabathi jikelele esetyenziswayo. Ukuba unevenkile ye-intanethi, nokuba yi-mvideo.ru, awuyi kubona i-1 Tbit kwiintsuku ezimbalwa ngokukhawuleza (ndiyathemba).
Ukugxotha uhlaselo nge-SYN / ACK yezikhukhula, ukuhlukana kwepakethi, njl., udinga izixhobo okanye iinkqubo zesoftware ukuze ubhaqe kwaye uyeke uhlaselo olunjalo.
Abantu abaninzi bavelisa izixhobo ezinjalo (i-Arbor, kukho izisombululo ezivela kwi-Cisco, iHuawei, ukuphunyezwa kwesoftware evela eWanguard, njl.), abaninzi abaqhubi be-backbone sele beyifakile kwaye bathengise iinkonzo zokukhusela i-DDoS (Ndiyazi malunga nokufakwa kwi-Rostelecom, i-Megafon, i-TTK, i-MTS , eneneni, bonke ababoneleli abakhulu benza okufanayo kunye ne-hosters ngokhuseleko lwabo a-la OVH.com, Hetzner.de, mna ngokwam ndadibana nokhuseleko kwi-ihor.ru). Ezinye iinkampani ziphuhlisa ezazo izisombululo zesoftware (iitekhnoloji ezifana neDPDK zikuvumela ukuba usebenze amashumi egigabhithi yetrafikhi kumatshini omnye we-x86 womzimba).
Kubadlali abaziwayo, wonke umntu unokulwa ne-L3 / L4 DDoS ngaphezulu okanye ngaphantsi ngokufanelekileyo. Ngoku andiyi kuthetha ukuba ngubani oyena mthamo mkhulu wejelo (olu lwazi lwangaphakathi), kodwa ngokuqhelekileyo oku akubalulekanga kangako, kwaye umahluko kuphela kukuba ukhuseleko lukhawuleza kangakanani (ngoko nangoko okanye emva kwemizuzu embalwa yexesha lokuphumla kweprojekthi, njengaseHetzner).
Umbuzo ngowokuba kwenziwa njani oku: uhlaselo lokukhuliswa kwe-amplification lunokugxothwa ngokuthintela i-traffic evela kumazwe anelona nani likhulu letrafikhi eyingozi, okanye kuphela i-traffic engafunekiyo ngokwenene inokulahlwa.
Kodwa kwangaxeshanye, ngokusekwe kumava am, bonke abadlali beemarike ezinzulu bahlangabezana nale nto ngaphandle kweengxaki: Qrator, DDoS-Guard, Kaspersky, G-Core Labs (eyayisakuba SkyParkCDN), ServicePipe, Stomwall, Voxility, njl.
Andizange ndihlangabezane nokukhuselwa kubasebenzi abafana neRostelecom, iMegafon, iTTK, iBeeline; ngokophononongo lwabalingane, babonelela ngezi nkonzo kakuhle, kodwa ukuza kuthi ga ngoku, ukunqongophala kwamava kuchaphazela amaxesha ngamaxesha: ngamanye amaxesha kufuneka wenze into ngenkxaso. yomsebenzisi wokhuseleko.
Abanye abaqhubi banenkonzo eyahlukileyo "yokukhusela ekuhlaselweni kwinqanaba le-L3 / L4", okanye "ukhuseleko lwesiteshi"; kubiza ngaphantsi kakhulu kunokukhusela kuwo onke amanqanaba.
Kutheni le nto umnikezeli we-backbone engafuni ukuhlaselwa kwamakhulu e-Gbits, ekubeni ingenayo iziteshi zayo?Umsebenzisi wokhuseleko unokuqhagamshela kubo nabaphi na ababoneleli abakhulu kwaye agxothe uhlaselo “ngeendleko zakhe.” Kuya kufuneka uhlawulele itshaneli, kodwa onke la makhulu e-Gbits awayi kuhlala esetyenziswa; kukho iindlela zokunciphisa kakhulu iindleko zamatshaneli kule meko, ke iskimu sihlala sisebenza.
Ezi ziingxelo endizifumana rhoqo kwizinga eliphezulu le-L3 / L4 ukukhuselwa ngelixa ndixhasa iinkqubo zababoneleli bokusingatha.
Ukukhuselwa kwinqanaba le-L7 (inqanaba lesicelo)
Ukuhlaselwa kwinqanaba le-L7 (inqanaba lesicelo) liyakwazi ukugxotha iiyunithi ngokuqhubekayo nangokufanelekileyo.
Ndinamava okwenyani kakhulu
-Qrator.net;
— DDoS-Guard;
- iiLabhu zeG-Core;
-Kaspersky.
Bahlawula i-megabit nganye yetrafikhi ecocekileyo, i-megabit ixabisa malunga namawaka amaninzi eeruble. Ukuba ubuncinci be-100 Mbps yetrafikhi emsulwa - oh. Ukukhuselwa kuya kuba kubiza kakhulu. Ndingakuxelela kumanqaku alandelayo indlela yokuyila izicelo ukuze ulondoloze kakhulu kumthamo wamajelo okhuseleko.
Oyena "kumkani wenduli" yiQrator.net, abanye bashiyeka emva kwabo. I-Qrator ukuza kuthi ga ngoku kuphela kumava am anika ipesenti yezinto ezibubuxoki ezikufutshane ne-zero, kodwa kwangaxeshanye zibiza ngokuphindaphindiweyo kunabanye abadlali beemarike.
Abanye abaqhubi nabo babonelela ngokhuseleko oluphezulu noluzinzileyo. Iinkonzo ezininzi ezixhaswa sithi (kubandakanywa nezaziwa kakhulu elizweni!) zikhuselwe kwi-DDoS-Guard, i-G-Core Labs, kwaye zanelisekile ziziphumo ezifunyenweyo.
Uhlaselo lugxothwe nguQrator
Ndiphinde ndibe namava kunye nabaqhubi abancinci bokhuseleko njenge-cloud-shield.ru, ddosa.net, amawaka abo. Ngokuqinisekileyo andiyi kucebisa, kuba ... Andinamava amaninzi, kodwa ndiya kukuxelela ngemigaqo yomsebenzi wabo. Iindleko zabo zokukhusela zihlala zi-1-2 ii-odolo zobukhulu obuphantsi kunezo zabadlali abakhulu. Njengomthetho, bathenga inkonzo yokukhusela inxalenye (L3 / L4) komnye wabadlali abakhulu + benza ukhuseleko lwabo ekuhlaselweni kumanqanaba aphezulu. Oku kunokusebenza kakhulu + unokufumana inkonzo elungileyo ngemali encinci, kodwa ezi ziseziinkampani ezincinci ezinabasebenzi abancinci, nceda uyigcine engqondweni.
Bubuphi ubunzima bokugxotha ukuhlaselwa kwinqanaba le-L7?
Zonke izicelo zahlukile, kwaye kufuneka uvumele i-traffic eluncedo kubo kwaye uvale eziyingozi. Akusoloko kusenzeka ukuba ukhuphe ii-bots ngokungathandabuzekiyo, ke kuya kufuneka usebenzise ezininzi, ngokwenene AMADINI amaninzi okucocwa kwetrafikhi.
Kanye ngexesha, imodyuli ye-nginx-testcookie yayanele (), kwaye kusekho ngokwaneleyo ukugxotha inani elikhulu lokuhlaselwa. Xa ndisebenza kwishishini lokusingatha, ukhuseleko lwe-L7 lwalusekelwe kwi-nginx-testcookie.
Ngelishwa, ukuhlaselwa kuye kwaba nzima ngakumbi. I-testcookie isebenzisa iitshekhi ze-bot ezisekelwe kwi-JS, kwaye iibhothi ezininzi zanamhlanje zinokudlula ngempumelelo.
Iibhotnet zokuhlaselwa nazo zizodwa, kwaye iimpawu zebhotnet nganye enkulu kufuneka zithathelwe ingqalelo.
Ukwandiswa, ukukhukula ngokuthe ngqo kwi-botnet, ukuhluza i-traffic evela kumazwe ahlukeneyo (ukuhluza okuhlukeneyo kumazwe ahlukeneyo), i-SYN / ACK isikhukula, ukuhlukana kwepakethi, i-ICMP, i-http yezikhukhula, ngelixa kwisicelo / kwinqanaba le-http unokuza nenani elingenamkhawulo we uhlaselo ezahlukeneyo.
Lilonke, kwinqanaba lokukhusela umjelo, izixhobo ezikhethekileyo zokucoca i-traffic, isofthiwe ekhethekileyo, izicwangciso ezongezelelweyo zokucoca kumxhasi ngamnye kunokuba ngamashumi kunye namakhulu amanqanaba okucoca.
Ukulawula oku ngokufanelekileyo kwaye ulungise ngokuchanekileyo useto lokucoca kubasebenzisi abohlukeneyo, udinga amava amaninzi kunye nabasebenzi abaqeqeshiweyo. Nangona umqhubi omkhulu oye wagqiba ukubonelela ngeenkonzo zokukhusela akakwazi "ukuphosa imali ngobudenge kwingxaki": amava kuya kufuneka azuzwe kwiindawo ezixokayo kunye neengcamango zobuxoki kwi-traffic esemthethweni.
Akukho qhosha "lokugxotha i-DDoS" kumqhubi wokhuseleko; kukho inani elikhulu lezixhobo, kwaye kufuneka wazi ukuba zisetyenziswa njani.
Kwaye omnye umzekelo ibhonasi.
Umncedisi ongakhuselekanga uvalwe ngumgcini ngexesha lokuhlaselwa ngamandla angama-600 Mbit
("Ilahleko" ye-traffic ayibonakali, kuba indawo ye-1 kuphela yahlaselwa, yasuswa okwesikhashana kwi-server kwaye i-blocking yaphakanyiswa ngaphakathi kweyure).
Umncedisi ofanayo ukhuselwe. Abahlaseli "banikezele" emva komhla wokuhlaselwa. Uhlaselo ngokwalo lwalungelona lunamandla.
Ukuhlaselwa kunye nokukhusela i-L3 / L4 yinto encinci kakhulu; zixhomekeke ubukhulu becala kubukhulu betshaneli, ukufumanisa kunye nokucoca i-algorithms yokuhlaselwa.
Uhlaselo lwe-L7 luntsonkothile ngakumbi kwaye luyimvelaphi; baxhomekeke kwisicelo esihlaselweyo, amandla kunye nokucinga kwabahlaseli. Ukukhuselwa kubo kufuna ulwazi oluninzi kunye namava, kwaye umphumo ungabikho ngokukhawuleza kwaye kungekhona ikhulu leepesenti. De uGoogle weza nenye inethiwekhi ye-neural yokhuseleko.
umthombo: www.habr.com