I-Variti iphuhlisa ukukhuselwa kwi-bots kunye nokuhlaselwa kwe-DDoS, kwaye iphinda iqhube uxinzelelo kunye novavanyo lomthwalo. Kwinkomfa ye-HighLoad ++ 2018 sathetha malunga nendlela yokukhusela izixhobo ezivela kwiintlobo ezahlukeneyo zokuhlaselwa. Ngamafutshane: iindawo ezizimeleyo zenkqubo, sebenzisa iinkonzo zefu kunye ne-CDN, kwaye uhlaziywe rhoqo. Kodwa awuzukwazi ukumelana nokhuseleko ngaphandle kweenkampani ezikhethekileyo :)
Ngaphambi kokuba ufunde isicatshulwa, unokufunda izicatshulwa ezimfutshane .
Kwaye ukuba awuthandi ukufunda okanye ufuna nje ukubukela ividiyo, ukurekhodwa kwengxelo yethu kungezantsi phantsi komphangi.
Ukurekhodwa kwevidiyo kwingxelo
Iinkampani ezininzi sele zisazi ukwenza uvavanyo lomthwalo, kodwa ayizizo zonke ezenza uvavanyo loxinzelelo. Abanye babathengi bethu bacinga ukuba indawo yabo ayinakwenzeka ngenxa yokuba banenkqubo yokulayisha okuphezulu, kwaye ikhusela kakuhle kuhlaselo. Sibonisa ukuba oku akuyonyani ngokupheleleyo.
Ngokuqinisekileyo, ngaphambi kokuba siqhube iimvavanyo, sifumana imvume kumthengi, isayinwe kwaye igxininiswe, kwaye ngoncedo lwethu ukuhlaselwa kweDDoS akunakwenziwa nakubani na. Uvavanyo lwenziwa ngexesha elikhethiweyo ngumthengi, xa i-traffic kwi-resource yakhe incinci, kwaye iingxaki zokufikelela aziyi kuchaphazela abathengi. Ukongezelela, ekubeni kukho into enokuthi ihlale ingahambi kakuhle ngexesha lenkqubo yokuvavanya, sinokuqhagamshelana rhoqo nomthengi. Oku kukuvumela ukuba ungaxeleli kuphela iziphumo ezifunyenweyo, kodwa nokutshintsha into ethile ngexesha lovavanyo. Ekugqityweni kovavanyo, sihlala sisenza ingxelo apho sibonisa khona iintsilelo ezifunyenweyo kwaye sinike iingcebiso zokuphelisa ubuthathaka besayithi.
Sisebenza njani
Xa sivavanya, sixelisa ibhotnet. Ekubeni sisebenza kunye nabathengi abangekho kwiinethiwekhi zethu, ukuze siqinisekise ukuba uvavanyo alupheli ngomzuzu wokuqala ngenxa yemida okanye ukukhuselwa okubangelwa, sinikezela ngomthwalo ongekho kwi-IP enye, kodwa kwi-subnet yethu. Kwaye, ukwenza umthwalo obalulekileyo, sineyethu iseva yovavanyo enamandla.
Iingxelo
Okuninzi akuthethi ukuba kulungile
Umthwalo omncinci sinokuzisa ubutyebi ekuphumeleleni, ngcono. Ukuba unokwenza isiza siyeke ukusebenza kwisicelo esinye ngomzuzwana, okanye isicelo esinye ngomzuzu, kulungile. Kuba ngokomthetho wenkohlakalo, abasebenzisi okanye abahlaseli baya kuwela ngempazamo kobu buthathaka.
Ukusilela ngokuyinxenye kungcono kunokusilela ngokupheleleyo
Sihlala sicebisa ukwenza iinkqubo ezahlukeneyo. Ngapha koko, kufanelekile ukubahlula kumgangatho womzimba, hayi nje ngokufakwa kwesikhongozeli. Kwimeko yokuhlukana komzimba, nokuba kukho into engaphumeleli kwisayithi, kukho amathuba aphezulu okuba ayiyi kuyeka ukusebenza ngokupheleleyo, kwaye abasebenzisi baya kuqhubeka nokufikelela ubuncinane inxalenye yokusebenza.
Uyilo olulungileyo lusisiseko sozinzo
Ukunyamezela kwesiphoso sobutyebi kunye nokukwazi ukumelana nokuhlaselwa kunye nemithwalo kufuneka kubekwe phantsi kwinqanaba lokuyila, eqinisweni, kwinqanaba lokudweba ii-flowcharts zokuqala kwi-notebook. Ngenxa yokuba ukuba iimpazamo ezibulalayo zingena, kunokwenzeka ukuzilungisa kwixesha elizayo, kodwa kunzima kakhulu.
Ayisiyiyo kuphela ikhowudi ekufuneka ilungile, kodwa kunye ne-config
Abantu abaninzi bacinga ukuba iqela elihle lophuhliso liyisiqinisekiso senkonzo yokunyamezela iimpazamo. Iqela elihle lophuhliso liyimfuneko ngokwenene, kodwa kufuneka kubekho imisebenzi emihle, i-DevOps efanelekileyo. Oko kukuthi, sifuna iingcali eziza kuqwalasela ngokuchanekileyo i-Linux kunye nenethiwekhi, bhala i-configs ngokuchanekileyo kwi-nginx, misela imida, njl. Ngaphandle koko, isibonelelo siya kusebenza kakuhle kuphela ekuvavanyeni, kwaye ngexesha elithile yonke into iya kuphuka kwimveliso.
Umahluko phakathi komthwalo kunye novavanyo loxinzelelo
Ukuvavanywa komthwalo kukuvumela ukuba uchonge imida yokusebenza kwenkqubo. Uvavanyo loxinzelelo lujolise ekufumaneni ubuthathaka kwinkqubo kwaye isetyenziselwa ukuphula le nkqubo kwaye ibone indlela eya kuziphatha ngayo kwinkqubo yokungaphumeleli kwamacandelo athile. Kule meko, uhlobo lomthwalo luhlala lungaziwa kumthengi ngaphambi kokuba uvavanyo loxinzelelo luqale.
Iimpawu ezahlukileyo zohlaselo lwe-L7
Ngokuqhelekileyo sahlulahlula iindidi zomthwalo kwimithwalo kwinqanaba le-L7 kunye ne-L3 & 4. I-L7 ngumthwalo kwinqanaba lesicelo, ngokuqhelekileyo lithetha i-HTTP kuphela, kodwa sithetha nawuphi na umthwalo kwinqanaba le-protocol ye-TCP.
Uhlaselo lwe-L7 luneempawu ezithile ezahlukileyo. Okokuqala, beza ngqo kwisicelo, oko kukuthi, akunakwenzeka ukuba baya kubonakaliswa ngeendlela zenethiwekhi. Uhlaselo olunjalo lusebenzisa ingqiqo, kwaye ngenxa yoku, badla i-CPU, imemori, idiski, i-database kunye nezinye izixhobo ngokufanelekileyo kunye ne-traffic encinci.
UNogumbe weHTTP
Kwimeko nayiphi na ukuhlaselwa, umthwalo kulula ukwenza kunokuba uphathe, kwaye kwimeko ye-L7 oku kuyinyaniso. Akusoloko kulula ukwahlula i-traffic traffic kwi-traffic esemthethweni, kwaye ngokuqhelekileyo oku kunokwenziwa ngokuphindaphindiweyo, kodwa ukuba yonke into icwangciswe ngokuchanekileyo, ngoko akunakwenzeka ukuqonda kwiilogi apho uhlaselo lukhona kwaye ziphi izicelo ezisemthethweni.
Njengomzekelo wokuqala, qwalasela uhlaselo lwe-HTTP yoNogumbe. Igrafu ibonisa ukuba ukuhlaselwa okunjalo ngokuqhelekileyo kunamandla kakhulu;
Umkhukula weHTTP yeyona ndlela ilula yokudala umthwalo. Ngokuqhelekileyo, kuthatha uhlobo oluthile lwesixhobo sokuvavanya umthwalo, njenge-ApacheBench, kwaye ibeka isicelo kunye nenjongo. Ngendlela elula ngolo hlobo, kukho amathuba aphezulu okubaleka kwi-caching yeseva, kodwa kulula ukuyigqitha. Umzekelo, ukongeza imitya engacwangciswanga kwisicelo, esiya kunyanzela umncedisi ukuba akhonze rhoqo iphepha elitsha.
Kwakhona, musa ukulibala malunga nomsebenzisi-arhente kwinkqubo yokudala umthwalo. Uninzi lwabasebenzisi bezixhobo zokuvavanya ezidumileyo zihluzwa ngabalawuli benkqubo, kwaye kulo mzekelo umthwalo ungafikeleli kwi-backend. Ungasiphucula kakhulu isiphumo ngokufaka ngaphezulu okanye ngaphantsi kwesihloko esisebenzayo kwisikhangeli kwisicelo.
Ngokulula njengokuhlaselwa kwe-HTTP yoMkhukula, nabo baneengxaki zabo. Okokuqala, umthamo omkhulu wamandla uyafuneka ukudala umthwalo. Okwesibini, ukuhlaselwa okunjalo kulula kakhulu ukukubona, ngakumbi ukuba kuvela kwidilesi enye. Ngenxa yoko, izicelo ziqala ngokukhawuleza ukuhluzwa nokuba ngabalawuli benkqubo okanye nakwinqanaba lomnikezeli.
Yintoni ekufuneka uyijongile
Ukunciphisa inani lezicelo ngesibini ngaphandle kokulahlekelwa ukusebenza kakuhle, kufuneka ubonise ukucinga okuncinci kwaye uhlolisise isayithi. Ngaloo ndlela, awukwazi ukulayisha kuphela itshaneli okanye iseva, kodwa kunye neengxenye zomntu ngamnye wesicelo, umzekelo, i-database okanye iinkqubo zefayile. Unokujonga kwakhona iindawo kwisayithi ezenza izibalo ezinkulu: iikhaltyhuleyitha, amaphepha okukhetha imveliso, njl. Okokugqibela, kuyenzeka ukuba isiza sinohlobo oluthile lweskripthi se-PHP esenza iphepha lemigca engamakhulu amawaka. Iskripthi esinjalo sikwalayisha kakhulu umncedisi kwaye sinokuba yinto ekujoliswe kuyo kuhlaselo.
Ujonge phi
Xa siskena isixhobo ngaphambi kokuvavanya, sijonga kuqala, ewe, kwindawo ngokwayo. Sijonge zonke iintlobo zemimandla yokufaka, iifayile ezinzima - ngokubanzi, yonke into enokuthi idale iingxaki kumthombo kwaye icothise ukusebenza kwayo. Izixhobo zophuhliso lweBanal kuGoogle Chrome kunye neFirefox uncedo apha, ebonisa amaxesha okuphendula kwephepha.
Sikwaskena ii-subdomains. Umzekelo, kukho ivenkile ethile ye-intanethi, abc.com, kwaye inesizinda esisezantsi admin.abc.com. Okunokwenzeka, le yiphaneli yolawulo enegunya, kodwa ukuba ubeka umthwalo kuyo, inokudala iingxaki kumthombo oyintloko.
Isiza sinokuba nesizinda esisezantsi api.abc.com. Okunokwenzeka, esi sisixhobo sezicelo zeselula. Isicelo sinokufumaneka kwi-App Store okanye kwi-Google Play, faka indawo ekhethekileyo yokufikelela, uchithe i-API kunye ne-akhawunti yokuvavanya. Ingxaki kukuba abantu bahlala becinga ukuba nantoni na ekhuselweyo ngokugunyaziswa ikhuselekile ekukhanyeni ukuhlaselwa kwenkonzo. Kucingelwa ukuba, ukugunyaziswa yeyona CAPTCHA, kodwa akunjalo. Kulula ukwenza ii-akhawunti ze-10-20 zovavanyo, kodwa ngokudala, sifumana ukufikelela kwimisebenzi enzima kunye nengabonakaliyo.
Ngokwemvelo, sijonge kwimbali, kwi-robots.txt kunye ne-WebArchive, i-ViewDNS, kwaye sijonge iinguqulelo zakudala zomthombo. Ngamanye amaxesha kwenzeka ukuba abaphuhlisi baye bakhupha, bathi, mail2.yandex.net, kodwa inguqulo endala, i-mail.yandex.net, ihlala. Le mail.yandex.net ayisaxhaswanga, izixhobo zophuhliso azibelwanga kuyo, kodwa iyaqhubeka nokusebenzisa i-database. Ngokufanelekileyo, usebenzisa inguqulo yakudala, ungasebenzisa ngokufanelekileyo izixhobo ze-backend kunye nayo yonke into esemva koyilo. Ewe, oku akusoloko kusenzeka, kodwa sisadibana noku rhoqo.
Ngokwemvelo, sihlalutya zonke iiparameters zesicelo kunye nesakhiwo secookie. Unokuthi, ulahle ixabiso elithile kuluhlu lwe-JSON ngaphakathi kwecookie, wenze indlwane eninzi kwaye wenze ubutyebi busebenze ixesha elide ngokungekho ngqiqweni.
Khangela umthwalo
Into yokuqala efika engqondweni xa uphando lwesayithi kukulayisha i-database, kuba phantse wonke umntu unokukhangela, kwaye phantse wonke umntu, ngelishwa, akukhuselwanga kakuhle. Ngesizathu esithile, abaphuhlisi abahoyi ngokwaneleyo ukukhangela. Kodwa kukho ingcebiso enye apha - akufuneki wenze izicelo zohlobo olufanayo, kuba unokuhlangabezana ne-caching, njengoko kunjalo ngesikhukula se-HTTP.
Ukwenza imibuzo engacwangciswanga kwisiseko sedatha nako akusoloko kusebenza. Kungcono kakhulu ukwenza uluhlu lwamagama angundoqo afanelekileyo kukhangelo. Ukuba sibuyela kumzekelo wevenkile ye-intanethi: masithi indawo ithengisa amathayi emoto kwaye ikuvumela ukuba ubeke i-radius yamavili, uhlobo lwemoto kunye nezinye iiparitha. Ngokufanelekileyo, indibaniselwano yamagama afanelekileyo iya kunyanzela uvimba weenkcukacha ukuba asebenze kwiimeko ezinzima kakhulu.
Ukongeza, kuyafaneleka ukusebenzisa i-pagination: kunzima kakhulu ukukhangela ukubuyisela iphepha elingaphambili leziphumo zophando kunelokuqala. Oko kukuthi, ngoncedo lwe-pagination unokwahluka kancinci umthwalo.
Umzekelo ongezantsi ubonisa umthwalo wokukhangela. Kuyabonakala ukuba ukususela kwisibini sokuqala sovavanyo ngesantya sezicelo ezilishumi ngesibini, isayithi yehla kwaye ayizange iphendule.
Ukuba akukho ukukhangela?
Ukuba akukho phendlo, oku akuthethi ukuba isayithi ayiqulathanga amanye amasimi egalelo asemngciphekweni. Lo mmandla unokuba lugunyaziso. Kule mihla, abaphuhlisi bathanda ukwenza iihashi ezinzima ukukhusela i-database yokungena kuhlaselo lwetafile yomnyama. Oku kulungile, kodwa i-hashes enjalo idla izixhobo ezininzi ze-CPU. Ukuhamba okukhulu kwezigunyaziso zobuxoki kukhokelela ekungaphumeleli kweprosesa, kwaye ngenxa yoko, indawo iyayeka ukusebenza.
Ubukho kwindawo yazo zonke iintlobo zeefom zamagqabaza kunye nengxelo sisizathu sokuthumela iitekisi ezinkulu kakhulu apho okanye ukwenza nje izantyalantyala zemvula. Ngamanye amaxesha iisayithi zamkela iifayile ezincanyathiselwe, kuquka nefomathi ye-gzip. Kule meko, sithatha ifayile ye-1TB, siyicinezele kwii-bytes ezininzi okanye i-kilobytes usebenzisa i-gzip kwaye uyithumele kwisayithi. Emva koko ikhutshwe kwaye isiphumo esinomdla kakhulu sifunyenwe.
Ukuphumla kwe-API
Ndingathanda ukunikela ingqalelo encinci kwiinkonzo ezidumileyo njengeRest API. Ukukhusela i-API yokuphumla kunzima kakhulu kunewebhusayithi eqhelekileyo. Nokuba iindlela ezincinci zokhuseleko ngokuchasene ne-password brute force kunye nezinye izinto ezingekho mthethweni aziyisebenzeli iRest API.
I-Rest API ilula kakhulu ukuyiphula kuba ifikelela kwisiseko sedatha ngokuthe ngqo. Kwangaxeshanye, ukusilela kwenkonzo enjalo kubandakanya iziphumo ezibi kakhulu kwishishini. Inyani kukuba iRest API iqhele ukusetyenziswa kungekuphela nje kwiwebhusayithi ephambili, kodwa nakwisicelo seselula kunye nezinye izixhobo zangaphakathi zoshishino. Kwaye ukuba konke oku kuwela, ngoko umphumo unamandla ngakumbi kunokuba kwimeko yokungaphumeleli kwewebhusayithi elula.
Ilayisha umxholo onzima
Ukuba sinikwa ukuvavanya isicelo esiqhelekileyo sephepha elinye, iphepha lokufika, okanye iwebhusayithi yekhadi leshishini elingenamsebenzi onzima, sijonga umxholo onzima. Ngokomzekelo, imifanekiso emikhulu ethunyelwa ngumncedisi, iifayile zokubini, amaxwebhu e-pdf - sizama ukukhuphela konke oku. Iimvavanyo ezinjalo zilayisha kakuhle inkqubo yefayile kwaye zivale iziteshi, kwaye ke ziyasebenza. Oko kukuthi, nokuba awubeki umncedisi phantsi, ukhuphela ifayile enkulu ngesantya esiphantsi, uya kuvala ngokulula ijelo lomncedisi ekujoliswe kuwo kwaye emva koko ukwaliwa kwenkonzo kuya kwenzeka.
Umzekelo wovavanyo olunjalo ubonisa ukuba ngesantya se-30 RPS isiza sayeka ukuphendula okanye savelisa iimpazamo ze-500 zeseva.
Musa ukulibala malunga nokuseta iiseva. Unokufumana rhoqo ukuba umntu uthenge umatshini obonakalayo, ofake i-Apache apho, ulungelelanise yonke into ngokungagqibekanga, ufake isicelo se-PHP, kwaye ngaphantsi unokubona umphumo.
Apha umthwalo waya kwingcambu kwaye ufikelele kwi-10 RPS kuphela. Silinde imizuzu emi-5 kwaye iseva yaphuka. Kuyinyani ukuba akwaziwa ngokupheleleyo ukuba kutheni wawa, kodwa kukho ingcinga yokuba wayenenkumbulo eninzi kwaye ngenxa yoko wayeka ukuphendula.
Amaza asekwe
Kulo nyaka uphelileyo okanye emibini, uhlaselo lwamaza luye lwaziwa kakhulu. Oku kungenxa yokuba imibutho emininzi ithenga iziqwenga ezithile ze-hardware zokukhusela i-DDoS, ezifuna ixesha elithile lokuqokelela izibalo zokuqalisa ukucoca uhlaselo. Oko kukuthi, abahluli ukuhlaselwa kwimizuzwana yokuqala ye-30-40, kuba baqokelela idatha kwaye bafunde. Ngokufanelekileyo, kule mizuzwana ye-30-40 unokuqalisa kakhulu kwisiza ukuba isibonelelo siya kulala ixesha elide de zonke izicelo zicinywe.
Kwimeko yohlaselo olungezantsi, kwakukho ikhefu lemizuzu ye-10, emva koko inxalenye entsha, eguqulwayo yokuhlaselwa yafika.
Oko kukuthi, ukhuselo lwafunda, lwaqala ukuhluza, kodwa inxalenye entsha, eyahlukileyo ngokupheleleyo yohlaselo yafika, kwaye ukukhusela kwaqala ukufunda kwakhona. Enyanisweni, ukuhluza kuyeka ukusebenza, ukhuseleko luba lungasebenzi, kwaye indawo ayifumaneki.
Uhlaselo lwamaza luphawulwa ngamaxabiso aphezulu kakhulu kwincopho, inokufikelela kwikhulu lamawaka okanye isigidi sezicelo ngomzuzwana, kwimeko ye-L7. Ukuba sithetha nge-L3 & 4, ngoko ke kunokubakho amakhulu e-gigabits ye-traffic, okanye, ngokufanelekileyo, amakhulu e-mpps, ukuba ubala kwiipakethi.
Ingxaki ngohlaselo olunjalo lungqamaniso. Uhlaselo luvela kwi-botnet kwaye lufuna iqondo eliphezulu lokuvumelanisa ukudala i-spike enkulu kakhulu yexesha elinye. Kwaye olu lungelelwaniso alusoloko lusebenza: ngamanye amaxesha imveliso luhlobo oluthile lwencopho ye-parabolic, ekhangeleka ilusizi.
Hayi iHTTP yodwa
Ukongeza kwi-HTTP kwi-L7, sithanda ukuxhaphaza ezinye iiprotocol. Njengomthetho, iwebhusayithi eqhelekileyo, ngakumbi ukusingathwa rhoqo, ineeprotocol zeposi kunye ne-MySQL ephumayo. Iiprothokholi zemeyile ziphantsi komthwalo ongaphantsi kunoovimba bedatha, kodwa zinokulayishwa ngokufanelekileyo kwaye ziphele nge-CPU egcwele kakhulu kwiseva.
Sibe nempumelelo enkulu ngokusebenzisa ukuba sesichengeni kwe-SSH ka-2016. Ngoku obu buthathaka bulungiselelwe phantse wonke umntu, kodwa oku akuthethi ukuba umthwalo awunakungeniswa kwi-SSH. Ngaba. Kukho umthwalo omkhulu wogunyaziso, i-SSH itya phantse yonke i-CPU kwiseva, kwaye iwebhusayithi iyawa kwisicelo esinye okanye ezibini ngomzuzwana. Ngokufanelekileyo, ezi zicelo sinye okanye ezimbini ezisekelwe kwiilogi azikwazi ukwahlula kumthwalo osemthethweni.
Uqhagamshelo oluninzi esiluvulayo kwiiseva luhlala lufanelekile. Ngaphambili, u-Apache wayenetyala loku, ngoku nginx eneneni inetyala loku, kuba ihlala iqwalaselwe ngokungagqibekanga. Inani loxhulumaniso olunokuthi lugcinwe luvulekile, ngoko sivula le nombolo yoqhagamshelwano, i-nginx ayisamkeli uxhulumaniso olutsha, kwaye ngenxa yoko isayithi ayisebenzi.
Iqela lethu lovavanyo line-CPU eyaneleyo yokuhlasela ukubambana ngesandla kwe-SSL. Ngokomgaqo, njengoko kubonisa, ii-botnets ngamanye amaxesha ziyathanda ukwenza oku. Ngakolunye uhlangothi, kucacile ukuba awukwazi ukwenza ngaphandle kwe-SSL, kuba iziphumo zeGoogle, umgangatho, ukhuseleko. Kwelinye icala, i-SSL ngelishwa inomcimbi we-CPU.
L3&4
Xa sithetha ngokuhlaselwa kwinqanaba le-L3 & 4, ngokuqhelekileyo sithetha ngokuhlaselwa kwinqanaba lekhonkco. Umthwalo onjalo phantse usoloko ukwahlula kulowo usemthethweni, ngaphandle kokuba uhlaselo lwe-SYN-nogumbe. Ingxaki ngohlaselo lwe-SYN-yesikhukula sezixhobo zokhuseleko ngumthamo wabo omkhulu. Ixabiso eliphezulu le-L3 & 4 laliyi-1,5-2 Tbit / s. Olu hlobo lwetrafikhi kunzima kakhulu ukuluqhuba nakwiinkampani ezinkulu, kubandakanya i-Oracle kunye neGoogle.
I-SYN kunye ne-SYN-ACK ziipakethi ezisetyenziswayo xa kusekwa uqhagamshelwano. Ngoko ke, i-SYN-umkhukula kunzima ukwahlula kumthwalo osemthethweni: akucaci ukuba le yi-SYN efike ukuseka uxhulumaniso, okanye inxalenye yokhukula.
UDP-umkhukula
Ngokuqhelekileyo, abahlaseli abanabo ubuchule esinabo, ngoko ke ukukhulisa kungasetyenziselwa ukulungiselela uhlaselo. Oko kukuthi, umhlaseli uhlola i-Intanethi kwaye ufumanisa ukuba usengozini okanye iiseva ezilungiselelwe ngokungachanekanga ukuba, umzekelo, ekuphenduleni ipakethe enye ye-SYN, uphendule ngee-SYN-ACK ezintathu. Ngokuxhaphaza idilesi yomthombo kwidilesi yomncedisi ekujoliswe kuwo, kunokwenzeka ukwandisa amandla ngokuthi, ngokuphindwe kathathu ngepakethi enye kwaye uqondise kwakhona i-traffic kwixhoba.
Ingxaki nge-amplifications kukuba kunzima ukuzibona. Imizekelo yakutsha nje ibandakanya imeko echukumisayo yabasemngciphekweni we-memcached. Ngaphezu koko, ngoku zininzi izixhobo ze-IoT, iikhamera ze-IP, nazo ziqwalaselwe ngokungagqibekanga, kwaye ngokungagqibekanga ziqwalaselwe ngokungalunganga, yiyo loo nto abahlaseli bahlala behlasela ngezixhobo ezinjalo.
Enzima SYN-umkhukula
I-SYN-umkhukula mhlawumbi lolona hlobo lunomdla lokuhlasela ukusuka kwindawo yomphuhlisi wembono. Ingxaki kukuba abalawuli benkqubo bahlala besebenzisa i-IP blocking yokukhusela. Ngaphezu koko, ukuvinjelwa kwe-IP akuchaphazeli kuphela abalawuli benkqubo abasebenzisa izikripthi, kodwa kwakhona, ngelishwa, ezinye iinkqubo zokhuseleko ezithengwa ngemali eninzi.
Le ndlela inokujika ibe yintlekele, kuba ukuba abahlaseli batshintshe iidilesi ze-IP, inkampani iya kuthintela i-subnet yayo. Xa i-Firewall ivimba i-cluster yayo, imveliso iya kusilela ukusebenzisana kwangaphandle kwaye isibonelelo siya kusilela.
Ngaphezu koko, akukho nzima ukuvala inethiwekhi yakho. Ukuba iofisi yomxhasi inenethiwekhi ye-Wi-Fi, okanye ukuba ukusebenza kwezibonelelo kulinganiswa ngokusebenzisa iinkqubo ezahlukeneyo zokubeka iliso, ngoko sithatha idilesi ye-IP yale nkqubo yokubeka iliso okanye i-ofisi yomxhasi i-Wi-Fi kwaye isebenzise njengomthombo. Ekugqibeleni, isibonelelo sibonakala sikhoyo, kodwa iidilesi ze-IP ekujoliswe kuzo zivaliwe. Ngaloo ndlela, inethiwekhi ye-Wi-Fi yenkomfa ye-HighLoad, apho imveliso entsha yenkampani inikezelwa khona, inokuvalwa, kwaye oku kubandakanya iindleko ezithile zoshishino kunye nezoqoqosho.
Ngexesha lokuvavanya, asikwazi ukusebenzisa i-amplification ngokusebenzisa i-memcached kunye naziphi na izixhobo zangaphandle, kuba kukho izivumelwano zokuthumela i-traffic kuphela kwiidilesi ze-IP ezivunyelweyo. Ngokufanelekileyo, sisebenzisa i-amplification nge-SYN kunye ne-SYN-ACK, xa inkqubo iphendula ekuthumeleni i-SYN enye kunye nee-SYN-ACK ezimbini okanye ezintathu, kwaye ekuphumeni ukuhlaselwa kwandiswa kabini okanye kathathu.
Zixhobo
Esinye sezixhobo eziphambili esizisebenzisayo kwi-L7 yomsebenzi nguYandex-tank. Ngokukodwa, i-phantom isetyenziswa njengompu, kwaye kukho izikripthi ezininzi zokuvelisa iikhatriji kunye nokuhlalutya iziphumo.
I-Tcpdump isetyenziselwa ukuhlalutya itrafikhi yenethiwekhi, kwaye i-Nmap isetyenziselwa ukuhlalutya umncedisi. Ukudala umthwalo kwinqanaba le-L3 & 4, i-OpenSSL kunye nomlingo wethu omncinci kunye nelayibrari ye-DPDK isetyenziswa. I-DPDK lithala leencwadi elivela kwi-Intel elikuvumela ukuba usebenze kunye nojongano lwenethiwekhi ngokudlula isitaki seLinux, ngokwenjenjalo wandisa ukusebenza kakuhle. Ngokwemvelo, sisebenzisa i-DPDK kungekhona kuphela kwinqanaba le-L3 & 4, kodwa nakwizinga le-L7, kuba lisivumela ukuba senze ukuhamba komthwalo ophezulu kakhulu, ngaphakathi koluhlu lwezicelo zezigidi eziliqela ngesibini ukusuka kumatshini omnye.
Sikwasebenzisa iijenereyitha ezithile zendlela kunye nezixhobo ezikhethekileyo esizibhalela iimvavanyo ezithile. Ukuba sikhumbula ubuthathaka phantsi kwe-SSH, ngoko le seti ingentla ayinakuxhatshazwa. Ukuba sihlasela iprothokholi yemeyile, sithatha izinto eziluncedo zemeyile okanye sibhale nje izikripthi kuzo.
ezifunyanisiweyo
Ukuqukumbela ndingathanda ukuthi:
- Ukongeza kuvavanyo lomthwalo weklasi, kuyimfuneko ukuqhuba uvavanyo loxinzelelo. Sinomzekelo wokwenyani apho ikontraki engaphantsi yeqabane yenza uvavanyo lomthwalo kuphela. Ibonise ukuba isibonelelo sinokumelana nomthwalo oqhelekileyo. Kodwa emva koko kwavela umthwalo ongaqhelekanga, iindwendwe zesayithi zaqala ukusebenzisa isibonelelo ngokwahlukileyo, kwaye ngenxa yoko i-subcontractor yalala. Ke, kufanelekile ukukhangela ubuthathaka nokuba sele ukhuselwe kuhlaselo lweDDoS.
- Kuyimfuneko ukwahlula ezinye iindawo zenkqubo kwabanye. Ukuba unokukhangela, kuya kufuneka uyihambise koomatshini abahlukeneyo, oko kukuthi, hayi nakwiDocker. Kuba ukuba ukukhangela okanye ugunyaziso aluphumeleli, ubuncinci into iya kuqhubeka isebenza. Kwimeko yevenkile ye-intanethi, abasebenzisi baya kuqhubeka befumana iimveliso kwikhathalogu, bahambe kwi-aggregator, bathenge ukuba sele begunyazisiwe, okanye bagunyazise nge-OAuth2.
- Musa ukungazihoyi zonke iintlobo zeenkonzo zefu.
- Sebenzisa i-CDN kungekuphela nje ukwandisa ukulibaziseka kwenethiwekhi, kodwa njengendlela yokukhusela ekuhlaselweni kokudinwa kwesiteshi kunye nokukhukula nje kwi-traffic static.
- Kuyimfuneko ukusebenzisa iinkonzo zokhuseleko ezikhethekileyo. Awukwazi ukuzikhusela kuhlaselo lwe-L3 & 4 kwinqanaba letshaneli, kuba kusenokwenzeka ukuba awunayo itshaneli eyaneleyo. Akunakwenzeka ukuba ulwe nohlaselo lwe-L7, kuba lunokuba lukhulu kakhulu. Ngaphezu koko, ukukhangela uhlaselo oluncinci kuseyilungelo leenkonzo ezikhethekileyo, ii-algorithms ezikhethekileyo.
- Hlaziya rhoqo. Oku akusebenzi kwi-kernel kuphela, kodwa nakwi-daemon ye-SSH, ngakumbi ukuba unazo zivulekele ngaphandle. Ngokomgaqo, yonke into kufuneka ihlaziywe, kuba akunakwenzeka ukuba ukwazi ukulandelela ubuthathaka obuthile ngokwakho.
umthombo: www.habr.com