Uvavanyo: ngaba kunokwenzeka ukunciphisa imiphumo emibi yokuhlaselwa kwe-DoS usebenzisa i-proxy?

Umfanekiso: Unsplash

Uhlaselo lwe-DoS sesinye sezona zoyikiso zikhulu kukhuseleko lolwazi kwi-Intanethi yanamhlanje. Kukho iibhotnet ezininzi eziqeshiswayo ngabahlaseli ukuze baqhube olo hlaselo.

Izazinzulu zeYunivesithi yaseSan Diego ziqhube kufunda Ukusetyenziswa kwe-proxies kunceda njani ukunciphisa umphumo ongalunganga wokuhlaselwa kwe-DoS - sinika ingqalelo yakho iithisisi eziphambili zalo msebenzi.

Intshayelelo: ummeli njengesixhobo sokulwa neDoS

Iimvavanyo ezifanayo zenziwa ngamaxesha athile ngabaphandi abavela kumazwe ahlukeneyo, kodwa ingxaki yabo eqhelekileyo kukunqongophala kwezixhobo zokulinganisa ukuhlaselwa okusondeleyo kwinyani. Uvavanyo kwiibhentshi ezincinci zokuvavanya azivumeli ukuphendula imibuzo malunga nendlela i-proxies ephumelelayo iya kuxhathisa ngayo ukuhlaselwa kwiinethiwekhi ezinzima, zeziphi iiparamitha ezidlala indima ebalulekileyo ekukwazi ukunciphisa umonakalo, njl.

Ngovavanyo, izazinzulu zenze imodeli yesicelo sewebhu esiqhelekileyo - umzekelo, inkonzo ye-e-commerce. Isebenza kusetyenziswa iqela leeseva; abasebenzisi basasazwa kwiindawo ezahlukeneyo zejografi kwaye basebenzise i-Intanethi ukufikelela kwinkonzo. Kulo mzekelo, i-Intanethi isebenza njengendlela yokunxibelelana phakathi kwenkonzo kunye nabasebenzisi - yile ndlela iinkonzo zewebhu ezisuka kwiinjini zokukhangela ukuya kwizixhobo zebhanki ze-intanethi zisebenza.

Ukuhlaselwa kweDoS kwenza ukusebenzisana okuqhelekileyo phakathi kwenkonzo kunye nabasebenzisi akunakwenzeka. Kukho iindidi ezimbini ze-DoS: i-application-level kunye ne-infrastructure-level attack. Kwimeko yokugqibela, abahlaseli bahlasela ngokuthe ngqo inethiwekhi kunye nemikhosi apho inkonzo iqhuba khona (umzekelo, bavala yonke i-bandwidth yenethiwekhi kunye ne-traffic traffic). Kwimeko yohlaselo lwenqanaba lesicelo, injongo yomhlaseli yi-interface yokusebenzisana nabasebenzisi-ukwenza oku, bathumela inani elikhulu lezicelo ukwenzela ukuba kubangele ukuphahlazeka kwesicelo. Uvavanyo luchaze uhlaselo oluchaphazelekayo kwinqanaba leziseko zophuhliso.

Uthungelwano lommeli sesinye sezixhobo zokunciphisa umonakalo ovela kuhlaselo lweDoS. Xa usebenzisa i-proxy, zonke izicelo ezivela kumsebenzisi kwinkonzo kunye neempendulo kubo azithunyelwa ngokuthe ngqo, kodwa ngamaseva aphakathi. Bobabini umsebenzisi kunye nesicelo "abonani" ngokuthe ngqo; ziidilesi zommeli kuphela ezifumanekayo kubo. Ngenxa yoko, akunakwenzeka ukuhlasela isicelo ngokuthe ngqo. Ekupheleni kwenethiwekhi kukho okubizwa ngokuba yi-edge proxies - i-proxies yangaphandle kunye needilesi ze-IP ezikhoyo, uxhulumaniso luya kubo kuqala.

Ukuxhathisa ngempumelelo uhlaselo lwe-DoS, inethiwekhi yommeleli kufuneka ibe nezinto ezimbini eziphambili. Okokuqala, uthungelwano olunjalo oluphakathi kufuneka ludlale indima yomlamli, oko kukuthi, isicelo sinokufikelela kuphela kuyo. Oku kuya kuphelisa ukuba kunokwenzeka ukuhlaselwa ngokuthe ngqo kwinkonzo. Okwesibini, inethiwekhi yommeleli kufuneka ikwazi ukuvumela abasebenzisi ukuba banxibelelane nesicelo nangexesha lokuhlaselwa.

Uvavanyo lweziseko zophuhliso

Uphononongo lusebenzise amacandelo amane aphambili:

• ukuphunyezwa kothungelwano lommeli;
• iseva yewebhu ye-Apache;
• isixhobo sovavanyo lwewebhu abanya;
• isixhobo sokuhlasela Trinoo.

Ukulinganisa kwenziwa kwimo ye-MicroGrid - ingasetyenziselwa ukulinganisa amanethiwekhi kunye ne-20 eyiwaka le-routers, enokuthelekiswa nothungelwano lwabaqhubi be-Tier-1.

Uthungelwano oluqhelekileyo lwe-Trinoo luquka isethi yeenginginya ezisengozini eqhuba inkqubo yedaemon. Kukwakho nesoftware yokubeka iliso kuthungelwano kunye nokukhokela uhlaselo lweDoS. Emva kokufumana uluhlu lweedilesi ze-IP, i-daemon ye-Trinoo ithumela iipakethi ze-UDP kwiithagethi ngamaxesha athile.

Ngexesha lovavanyo, amaqela amabini asetyenziswa. I-MicroGrid simulator iqhutywe kwi-16-node Xeon Linux cluster (iiseva ze-2.4GHz ezine-1 gigabyte yememori kumatshini ngamnye) exhunywe nge-1 Gbps Ethernet hub. Amanye amacandelo e-software abekwe kwiqela le-24 nodes (450MHz PII Linux-cthdths ene-1 GB yememori kumatshini ngamnye), exhunywe yi-100Mbps Ethernet hub. Amaqela amabini adityaniswe ngumjelo we-1Gbps.

Inethiwekhi yommeleli isingathwe kwichibi leenginginya ezili-1000. I-Edge proxies isasazwa ngokulinganayo kulo lonke ubuncwane bemithombo. Iiproxies zokusebenza kunye nesicelo zifumaneka kwiinginginya ezikufutshane neziseko zayo. Abameli abaseleyo basasazwa ngokulinganayo phakathi komphetho kunye ne-application proxies.

Inethiwekhi yokulinganisa

Ukufunda ukusebenza kwe-proxy njengesixhobo sokumelana nokuhlaselwa kwe-DoS, abaphandi balinganisa ukuveliswa kwesicelo phantsi kweemeko ezahlukeneyo zeempembelelo zangaphandle. Bekukho inani elipheleleyo le-192 proxies kuthungelwano lommeli (ama-64 kubo edge). Ukwenza uhlaselo, inethiwekhi ye-Trinoo yenziwa, kuquka iidemon ezili-100. Nganye yeedemon yayinomzila we-100Mbps. Oku kuhambelana ne-botnet ye-10 amawaka emizila yasekhaya.

Impembelelo yokuhlaselwa kwe-DoS kwisicelo kunye nenethiwekhi yommeleli yalinganiswa. Kuqwalaselo lovavanyo, isicelo sasinomjelo we-Intanethi we-250 Mbps, kwaye ummeleli ngamnye wecala unomjelo we-100 Mbps.

Iziphumo zovavanyo

Ngokusekelwe kwiziphumo zohlalutyo, kwavela ukuba ukuhlaselwa kwe-250Mbps kwandisa kakhulu ixesha lokuphendula kwesicelo (malunga namaxesha alishumi), ngenxa yoko kuba nzima ukuyisebenzisa. Nangona kunjalo, xa usebenzisa inethiwekhi yommeleli, uhlaselo alunayo impembelelo enkulu ekusebenzeni kwaye aluthobisi amava omsebenzisi. Oku kwenzeka ngenxa yokuba i-edge proxies iyancipha umphumo wokuhlaselwa, kwaye izibonelelo ezipheleleyo zenethiwekhi ye-proxy ziphezulu kunezo zesicelo ngokwazo.

Ngokwezibalo, ukuba amandla okuhlasela awadluli i-6.0Gbps (nangona i-throughput epheleleyo ye-edge proxy channels ibe yi-6.4Gbps kuphela), ngoko i-95% yabasebenzisi abafumani ukuhla okubonakalayo ekusebenzeni. Ngaphezu koko, kwimeko yokuhlaselwa okunamandla kakhulu okudlula i-6.4Gbps, kwanokusetyenziswa kwenethiwekhi yommeleli akuyi kuphepha ukuthotywa kwenqanaba lenkonzo kubasebenzisi bokugqibela.

Kwimeko yokuhlaselwa okugxininiswe, xa amandla abo egxininiswe kwisethi engahleliweyo ye-edge proxies. Kule meko, uhlaselo luvala inxalenye yenethiwekhi yommeleli, ngoko ke inxalenye ebalulekileyo yabasebenzisi iya kuqaphela ukuhla kokusebenza.

ezifunyanisiweyo

Iziphumo zovavanyo zibonisa ukuba inethiwekhi yommeleli inokuphucula ukusebenza kwezicelo ze-TCP kwaye ibonelele ngenqanaba eliqhelekileyo lenkonzo kubasebenzisi, nakwimeko yokuhlaselwa kweDoS. Ngokwedatha efunyenweyo, uthungelwano lommeli lujika lube yindlela esebenzayo yokunciphisa iziphumo zohlaselo; ngaphezulu kwe-90% yabasebenzisi abafumananga kuncipha komgangatho wenkonzo ngexesha lovavanyo. Ukongeza, abaphandi bafumanise ukuba njengoko ubungakanani benethiwekhi ye-proxy inyuka, isikali sohlaselo lwe-DoS enokumelana nalo sinyuka phantse ngokulandelelana. Ngoko ke, inethiwekhi enkulu, ngokufanelekileyo iya kulwa ne-DoS.

Amakhonkco aluncedo kunye nemathiriyeli evela I-Infatica:

• Uphando: Ukudala inkonzo yommeli ethintela ukuvalela usebenzisa ithiyori yomdlalo
• Imbali yomlo wokulwa novavanyo: indlela esebenza ngayo i-flash proxy eyenziwe zizazinzulu zaseMIT naseStanford
• Ukuqonda njani xa iiproxi zilele: ukuqinisekiswa kweendawo ezibonakalayo zenethiwekhi ye-proxies usebenzisa i-algorithm ye-geolocation esebenzayo
• Ungazifihla njani kwi-Intanethi: uthelekisa iseva kunye neeproxies zabahlali

Umthombo: www.habr.com