Ngomhla we-13 kuMatshi kwiqela elisebenzayo elichasene nokuxhatshazwa qwalasela ukuqweqwediswa kwe-BGP (hjjack) njengokwaphulwa komgaqo-nkqubo we-RIPE. Ukuba isiphakamiso samkelwe, umboneleli we-Intanethi ohlaselwe yi-traffic interception uya kuba nethuba lokuthumela isicelo esikhethekileyo sokutyhila umhlaseli. Ukuba iqela lophononongo liqokelele ubungqina obaneleyo obuxhasayo, i-LIR eyayingumthombo we-BGP intercept iya kuthathwa njenge-intruder kwaye inokuhluthwa ubume bayo be-LIR. Kwakukho neengxabano utshintsho.
Kolu papasho sifuna ukubonisa umzekelo wohlaselo apho kungekuphela nje umhlaseli wokwenyani ebebuzwa, kodwa nalo lonke uluhlu lwezimaphambili ezichaphazelekayo. Ngaphezu koko, uhlaselo olunjalo kwakhona luphakamisa imibuzo malunga neenjongo zokungenelela kwixesha elizayo kolu hlobo lwezithuthi.
Kule minyaka imbalwa idlulileyo, kuphela iingxabano ezinje nge-MOAS (iNkqubo yokuZimela yeMveliso eZininzi) eziye zagqunywa kumaphephandaba njenge-BGP. I-MOAS yimeko ekhethekileyo apho iisistim ezimbini ezahlukeneyo ezizimeleyo zibhengeza izimaphambili eziphikisanayo ezinee-ASN ezihambelanayo kwi-AS_PATH (eyokuqala i-ASN kwi-AS_PATH, ekubhekiselwa kuyo njengemvelaphi ye-ASN). Nangona kunjalo, singakhankanya ubuncinci uthintelo lwetrafikhi, ukuvumela umhlaseli asebenzise uphawu loyelelwano lwe-AS_PATH ngeenjongo ezahlukeneyo, ukuquka ukugqitha kwiindlela zangoku zokucoca kunye nokubeka iliso. Uhlobo lokuhlasela olwaziwayo - uhlobo lokugqibela lokungenelela okunjalo, kodwa alubalulekanga kwaphela. Kunokwenzeka ukuba olu luhlobo kanye lohlaselo esilubonile kwezi veki zidlulileyo. Isiganeko esinjalo sinesimo esiqondakalayo kunye nemiphumo emibi kakhulu.
Abo bafuna i-TL; uhlobo lweDR banokuskrola baye kumbhalo ongezantsi othi "Uhlaselo olugqibeleleyo".
Imvelaphi yenethiwekhi
(ukukunceda uqonde ngcono iinkqubo ezibandakanyekayo kwesi siganeko)
Ukuba ufuna ukuthumela ipakethe kwaye unezimaphambili ezininzi kwitheyibhile yomzila equlathe idilesi ye IP yendawo ekuyiwa kuyo, ngoko ke uya kusebenzisa indlela yesimaphambili esinobude obude. Ukuba kukho iindlela ezininzi ezahlukeneyo zesimaphambili esifanayo kwitheyibhile yomzila, uya kukhetha eyona ilungileyo (ngokoyona ndlela yokukhetha indlela).
Uhluzo olukhoyo kunye neendlela zokuhlola zizama ukuhlalutya iindlela kunye nokwenza izigqibo ngokuhlalutya uphawu lwe-AS_PATH. I-router inokutshintsha le mpawu kulo naliphi na ixabiso ngexesha lentengiso. Ukongeza ngokulula i-ASN yomnini ekuqaleni kwe-AS_PATH (njengemvelaphi ye-ASN) inokwanela ukugqitha iindlela zokujonga imvelaphi yangoku. Ngaphezu koko, ukuba kukho indlela esuka kwi-ASN ehlaselweyo eya kuwe, kuyenzeka ukuba ukhuphe kwaye usebenzise i-AS_PATH yale ndlela kwezinye iintengiso zakho. Naluphi na uqinisekiso lwe-AS_PATH-kuphela lwezibhengezo zakho ezenziweyo luya kudlula ekugqibeleni.
Kusekho imida embalwa efanele ukukhankanywa. Okokuqala, xa isimaphambili sohluzo ngumboneleli onyukayo, indlela yakho isenokuhluzwa (kwanange AS_PATH echanekileyo) ukuba isimaphambili ayisosomxhasi wakho wekhowuni eqwalaselwe phezulu. Okwesibini, i-AS_PATH esebenzayo ingangasebenzi ukuba indlela eyenziweyo ibhengezwa kwiindlela ezingachanekanga kwaye, ngoko, yaphula umgaqo-nkqubo womzila. Okokugqibela, nayiphi na indlela enesimaphambili esaphula ubude be-ROA inokuthathwa njengengekho mthethweni.
Isiganeko
Kwiiveki ezimbalwa ezidlulileyo sifumene isikhalazo komnye wabasebenzisi bethu. Sibone iindlela ezinemvelaphi yakhe ye-ASN kunye / nezimaphambili ezingama-25, ngelixa umsebenzisi ebebanga ukuba akazibhengezanga.
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.7.0/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.7.128/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.18.0/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.18.128/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.226.0/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.226.128/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.164.7.0/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.164.7.128/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
Imizekelo yezaziso zokuqalisa kuka-Epreli ka-2019
I-NTT kwindlela ye-/25 isimaphambili iyenza ikrokrele ngakumbi. I-LG NTT yayingayazi le ndlela ngexesha lesehlo. Ke ewe, omnye umsebenzisi wenza yonke i-AS_PATH yezi zimaphambili! Ukujonga kwezinye iirotha kutyhila enye i-ASN: AS263444. Emva kokujonga ezinye iindlela ngale nkqubo yokuzimela, siye sadibana nale meko ilandelayo:
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.36.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.38.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.23.143.0/25|265466 262761 263444 22356 6762 9498 9730 45528|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.23.143.128/25|265466 262761 263444 22356 6762 9498 9730 45528|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.24.0.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.24.128.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.26.0.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.26.128.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.64.96.0/20|265466 262761 263444 6762 3491 4760|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.64.112.0/20|265466 262761 263444 6762 3491 4760|IGP|xxx|0|0||NAG||
Zama ukuqikelela ukuba yintoni engalunganga apha
Kubonakala ngathi kukho umntu othathe isimaphambili kwindlela, wasicanda saziindawo ezimbini, kwaye wabhengeza indlela nge-AS_PATH efanayo yezo zimaphambili zibini.
TABLE_DUMP2|1554076800|B|xxx|263444|1.6.36.0/23|263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|263444|1.6.38.0/23|263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|61775|1.6.36.0/23|61775 262761 263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|61775|1.6.38.0/23|61775 262761 263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.36.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.38.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|28172|1.6.36.0/23|28172 52531 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|28172|1.6.38.0/23|28172 52531 263444 52320 9583|IGP|xxx|0|0||NAG||
Imizekelo yeendlela zokwahlula izibini zesimaphambili
Imibuzo emininzi iphakama ngaxeshanye. Ngaba ukho umntu owakhe waluzama ngokwenene olu hlobo lokungenelela? Ingaba ukhona umntu othathe ezi ndlela? Zeziphi izimaphambili ezichaphazelekayo?
Kulapho umtya wethu wokungaphumeleli uqala khona kwaye omnye umjikelo wokuphoxeka kunye nemeko yangoku yempilo ye-Intanethi.
Indlela yokusilela
Izinto zokuqala kuqala. Sinokubona njani ukuba zeziphi iirotha ezamkelweyo ezo ndlela zithintelweyo kwaye yeyiphi itrafikhi enokubuyiselwa kwindlela namhlanje? Besicinga ukuba siza kuqala nge-25 prefixes kuba "azinakukwazi ukusasazwa kwihlabathi liphela." Njengoko unokuthelekelela, sasingalunganga kakhulu. Le metric ibonakale inengxolo kakhulu kwaye iindlela ezinezimaphambili ezinjalo zinokuvela nakubasebenzisi beTier-1. Umzekelo, i-NTT inezimaphambili ezingama-50 ezinjalo, ethi isasaze kubaxhasi bayo. Kwelinye icala, le metric imbi kuba izimaphambili ezinjalo zinokuhluzwa ukuba umsebenzisi uyasebenzisa , kumacala onke. Ngoko ke, le ndlela ayifanelekanga ukufumana bonke abaqhubi abatraffic babo baphinde baqondiswa ngenxa yeso siganeko.
Elinye icebo elilungileyo ebesicinga ukuba lijonge . Ngokukodwa kwiindlela eziphula umthetho we-maxLength we-ROA ehambelanayo. Ngale ndlela sinokufumana inani lee-ASN zemvelaphi eyahlukileyo ezinemo engavumelekanga ezazibonakala kwi-AS enikiweyo. Nangona kunjalo, kukho ingxaki "encinci". Umyinge (i-median kunye nemowudi) yeli nani (inani lemvelaphi eyahlukeneyo ye-ASNs) imalunga ne-150 kwaye, nokuba sihluza izimaphambili ezincinci, ihlala ingaphezulu kwe-70. Le meko yemicimbi inengcaciso elula kakhulu: kukho kuphela a abasebenzi abambalwa abasele besebenzisa izihluzi ze-ROA ngomgaqo-nkqubo βwokuseta ezingasebenziyoβ kwiindawo zokungena, ukuze naphi na apho umzila onolwaphulo-mthetho lwe-ROA luvela kwihlabathi lokwenyani, lunokusasaza macala onke.
Iindlela ezimbini zokugqibela zisivumela ukuba sifumane abaqhubi ababone isiganeko sethu (ekubeni sasisikhulu kakhulu), kodwa ngokubanzi azisebenzi. Kulungile, kodwa singamfumana umhlaseli? Zeziphi iimpawu jikelele zolu qheliso AS_PATH? Kukho iingcamango ezimbalwa ezisisiseko:
- Isimaphambili besingekabonwa naphi na ngaphambili;
- Imvelaphi ye-ASN (isikhumbuzi: eyokuqala i-ASN kwi-AS_PATH) iyasebenza;
- Eyokugqibela i-ASN kwi-AS_PATH yi-ASN yomhlaseli (ukuba ummelwane ujonge i-ASN yommelwane kuzo zonke iindlela ezingenayo);
- Uhlaselo luvela kumboneleli omnye.
Ukuba zonke iingcamango zichanekile, ke zonke iindlela ezingalunganga ziya kubonisa i-ASN yomhlaseli (ngaphandle kwemvelaphi ye-ASN) kwaye, ngoko ke, le ngongoma "ebalulekileyo". Phakathi kwabaqweqwedisi bokwenene kwakukho AS263444, nangona kwakukho abanye. Naxa silahla iindlela zezehlo ekuqwalaseleni. Ngoba? Indawo ebalulekileyo inokuhlala ibalulekile nakwiindlela ezichanekileyo. Isenokuba sisiphumo sokungaqhagamshelwa kakuhle kwingingqi okanye imida ekubonakaleni kwethu.
Ngenxa yoko, kukho indlela yokufumanisa umhlaseli, kodwa kuphela ukuba zonke ezi meko zingentla zidibene kwaye kuphela xa ukungenelela kukhulu ngokwaneleyo ukuba kudlule imingcele yokubeka iliso. Ukuba ezinye zezi zinto azihlangabezwanga, ngaba singakwazi ukuchonga izimaphambili eziye zachaphazeleka kukuphazamiseka okunjalo? Kubasebenzisi abathile - ewe.
Xa umhlaseli esenza indlela ekhethekileyo, isimaphambili esinjalo asibhengezwa ngumnini wokwenyani. Ukuba unoluhlu oluguquguqukayo lwazo zonke izimaphambili zayo ukusuka kuyo, ngoko kuyakwenzeka ukwenza uthelekiso kwaye ufumane iindlela ezigqwethekileyo ezithe kratya. Siqokelela olu luhlu lwezimaphambili sisebenzisa iiseshoni zethu ze-BGP, kuba asinikwanga kuphela uluhlu olupheleleyo lweendlela ezibonakalayo kumsebenzisi ngoku, kodwa noluhlu lwazo zonke izimaphambili ezifuna ukuzithengisa kwihlabathi. Ngelishwa, ngoku kukho ishumi elinambini labasebenzisi beRadar abangayigqibiyo inxalenye yokugqibela ngokuchanekileyo. Siza kubazisa kungekudala kwaye sizame ukusombulula lo mba. Wonke umntu unokujoyina inkqubo yethu yokubeka iliso ngoku.
Ukuba sibuyela kwisiganeko sokuqala, zombini umhlaseli kunye nommandla wokusabalalisa zifunyenwe ngathi ngokukhangela amanqaku abalulekileyo. Okumangalisayo kukuba, i-AS263444 ayizange ithumele iindlela ezenziweyo kubo bonke abathengi bayo. Nangona kukho umzuzu ongaqhelekanga.
BGP4MP|1554905421|A|xxx|263444|178.248.236.0/24|263444 6762 197068|IGP|xxx|0|0|13106:12832 22356:6453 65444:20000|NAG||
BGP4MP|1554905421|A|xxx|263444|178.248.237.0/24|263444 6762 197068|IGP|xxx|0|0|13106:12832 22356:6453 65444:20000|NAG||
Umzekelo wamva nje wokuzama ukuthintela indawo yethu yeedilesi
Xa ezinye ezithe ngqo zayilwa kwizimaphambili zethu, i-AS_PATH eyilwe ngokukodwa yasetyenziswa. Nangona kunjalo, le AS_PATH ayinakuthatyathwa kuyo nayiphi na indlela yethu yangaphambili. Asinalo nonxibelelwano ne-AS6762. Ukujonga ezinye iindlela kwisiganeko, ezinye zazo zine-AS_PATH yokwenene eyayisetyenziswa ngaphambili, ngelixa abanye bengenayo, nokuba ibonakala ngathi yinyani. Ukutshintsha i-AS_PATH ngaphezu koko akunangqiqo, kuba itrafikhi iya kuthunyelwa kumhlaseli nakanjani, kodwa iindlela "ezimbi" AS_PATH zinokuhluzwa yi-ASPA okanye nayiphi na enye indlela yokuhlola. Apha sicinga ngenkuthazo yomqweqwedisi. Okwangoku asinalo ulwazi lwaneleyo lokuqinisekisa ukuba esi siganeko ibiluhlaselo olucwangcisiweyo. Nangona kunjalo, kunokwenzeka. Makhe sizame ukuba nomfanekiso-ngqondweni, nangona sisenoqikelelo, kodwa sinokuba yinyani, imeko.
Uhlaselo olugqibeleleyo
Yintoni esinayo? Masithi ungumnikezeli wothutho kwiindlela zokusasaza kubathengi bakho. Ukuba abathengi bakho banobukho obuninzi (i-multihome), ke uya kufumana kuphela inxalenye yetrafikhi yabo. Kodwa okukhona itrafikhi ininzi, kokukhona umvuzo wakho ungaphezulu. Ke ukuba uqala ukuthengisa i-subnet prefixes kwezi ndlela zifanayo nge-AS_PATH enye, uyakufumana i-traffic yabo eseleyo. Ngenxa yoko, imali eseleyo.
Ngaba i-ROA izakunceda apha? Mhlawumbi ewe, ukuba ugqiba kwelokuba uyeke ukuyisebenzisa ngokupheleleyo . Ukongeza, ayinqweneleki kakhulu ukuba neerekhodi ze-ROA ezinezimaphambili ezihlanganayo. Kwabanye abaqhubi, izithintelo ezinjalo azamkelekanga.
Uthathela ingqalelo ezinye iindlela zokhuseleko lomzila, i-ASPA ayisayi kunceda nakule meko (kuba isebenzisa AS_PATH ukusuka kwindlela esebenzayo). I-BGPSec ayikabi lolona khetho lufanelekileyo ngenxa yamazinga aphantsi okuthathwa kwabantwana kunye nokushiyeka kohlaselo lokuthotywa.
Ngoko sinenzuzo ecacileyo kumhlaseli kunye nokungabikho kokhuseleko. Umxube omkhulu!
Kufuneka senze ntoni?
Elona nyathelo licacileyo nelingqongqo kukuphonononga umgaqo-nkqubo wakho wangoku. Yaphula isithuba sedilesi yakho ngokwezona ziqwenga zincinci (akukho kugqithelana) ofuna ukuzithengisa. Sayinela bona i-ROA kuphela, ngaphandle kokusebenzisa ipharamitha yobude obukhulu. Kule meko, i-POV yakho yangoku inokukusindisa kuhlaselo olunjalo. Nangona kunjalo, kwakhona, kwabanye abaqhubi le ndlela ayifanelekanga ngenxa yosetyenziso olukhethekileyo lweendlela ezithe ngqo. Zonke iingxaki kunye nemeko yangoku ye-ROA kunye nezinto zendlela ziya kuchazwa kwenye yezinto zethu ezizayo.
Ukongeza, unokuzama ukujonga ukungenelela okunjalo. Ukwenza oku, sifuna ulwazi oluthembekileyo malunga nezimaphambili zakho. Ke, ukuba useka iseshoni ye-BGP kunye nomqokeleli wethu kwaye usinike ulwazi malunga nokubonakala kwakho kwi-Intanethi, sinokufumana umda wezinye izehlo. Kwabo abangekaqhagamshelwa kwinkqubo yethu yokubeka iliso, ukuqala, uluhlu lweendlela kuphela kunye nezimaphambili zakho ziya kwanela. Ukuba uneseshoni kunye nathi, nceda ujonge ukuba zonke iindlela zakho zithunyelwe. Ngelishwa, oku kufanelekile ukukhumbula kuba abanye abasebenzisi bayalibala isimaphambili okanye ezimbini kwaye baphazamise iindlela zethu zokukhangela. Ukuba kwenziwe ngokuchanekileyo, siya kuba nedatha ethembekileyo malunga nezimaphambili zakho, eziya kuthi kwixesha elizayo zisincede sichonge ngokuzenzekelayo kwaye sibone oku (kunye nezinye) iintlobo zetrafikhi yokufumana indawo yedilesi yakho.
Ukuba uye waqaphela ukubanjwa kwetrafikhi yakho ngexesha lokwenyani, ungazama ukuzichasa ngokwakho. Indlela yokuqala kukuthengisa iindlela ngezimaphambili ezithe ngqo ngokwakho. Kwimeko yohlaselo olutsha kwezi zimaphambili, phinda.
Indlela yesibini kukujezisa umhlaseli kunye nabo babaluleke kakhulu (kwiindlela ezilungileyo) ngokunqumla ukufikelela kwiindlela zakho kumhlaseli. Oku kunokwenziwa ngokudibanisa umhlaseli we ASN kwi AS_PATH yeendlela zakho ezindala kwaye ngaloo ndlela zibanyanzele ukuba baphephe ukuba AS besebenzisa indlela yobhaqo eyakhelwe-ngaphakathi kwi-BGP. .
umthombo: www.habr.com