"Umfana owenze iwebhusayithi yethu usevele usethe ukuvikelwa kwe-DDoS."
"Sinokuvikelwa kwe-DDoS, kungani isiza sehlile?"
"Zingaki izinkulungwane ezifunwa yi-Qrator?"
Ukuze uphendule kahle imibuzo enjalo evela kukhasimende/umphathi, kungaba kuhle ukwazi ukuthi yini efihliwe ngemuva kwegama elithi “DDoS protection”. Ukukhetha izinsiza zokuphepha kufana nokukhetha umuthi kudokotela kunokukhetha itafula e-IKEA.
Bengilokhu ngisekela amawebhusayithi iminyaka engu-11, ngiye ngasinda emakhulwini okuhlaselwa kwezinsizakalo engizisekelayo, futhi manje ngizokutshela kancane mayelana nokusebenza kwangaphakathi kokuvikela.
Ukuhlasela okuvamile. 350k isamba se-req, i-52k req esemthethweni
Ukuhlaselwa kokuqala kwavela cishe kanyekanye ne-Inthanethi. I-DDoS njengento evamile isisabalele kusukela ngasekupheleni kwawo-2000s (hlola ).
Kusukela cishe ngo-2015-2016, cishe bonke abahlinzeki bokusingatha baye bavikelwa ekuhlaselweni kwe-DDoS, njengoba kuye kwaba nezindawo ezivelele ezindaweni eziqhudelanayo (do whois by IP yamasayithi eldorado.ru, leroymerlin.ru, tilda.ws, uzobona amanethiwekhi yabaqhubi bezokuvikela).
Uma eminyakeni engu-10-20 edlule ukuhlaselwa okuningi bekungaxoshwa kuseva ngokwayo (hlola izincomo zomqondisi wesistimu we-Lenta.ru uMaxim Moshkov kusukela kuma-90s: ), kodwa manje imisebenzi yokuvikela isinzima kakhulu.
Izinhlobo zokuhlaselwa kwe-DDoS ngokombono wokukhetha u-opharetha wokuvikela
Ukuhlasela ezingeni le-L3/L4 (ngokwemodeli ye-OSI)
- Isikhukhula se-UDP esivela ku-botnet (izicelo eziningi zithunyelwa ngokuqondile kumadivayisi anegciwane kuya kusevisi ehlaselwe, amaseva avinjelwe ngesiteshi);
- Ukukhulisa i-DNS/NTP/etc (izicelo eziningi zithunyelwa zisuka kumadivayisi anegciwane ziye ku-DNS/NTP/njll, ikheli lomthumeli liyakhiwa, ifu lamaphakethe aphendula izicelo ligcwala isiteshi somuntu ohlaselwayo; yile ndlela ebaluleke kakhulu ukuhlaselwa okukhulu kwenziwa ku-inthanethi yesimanje);
- Isikhukhula se-SYN / ACK (izicelo eziningi zokusungula uxhumano zithunyelwa kumaseva ahlaselwe, umugqa wokuxhuma uyachichima);
- ukuhlaselwa ngokuhlukaniswa kwephakethe, i-ping of death, ping flood (ngicela u-Google);
- njalo njalo.
Lokhu kuhlasela kuhloswe “ukuvala” isiteshi seseva noma “ukubulala” ikhono laso lokwamukela ithrafikhi entsha.
Yize izikhukhula ze-SYN/ACK zihluke kakhulu, izinkampani eziningi zilwa nakho ngokulinganayo. Izinkinga ziphakama ngokuhlaselwa kweqembu elilandelayo.
Ukuhlaselwa ku-L7 (ungqimba lohlelo lokusebenza)
- Isikhukhula se-http (uma iwebhusayithi noma enye i-http api ihlaselwa);
- ukuhlaselwa kwezindawo ezisengozini yesayithi (lezo ezingenayo inqolobane, ezilayisha isayithi kakhulu, njll.).
Umgomo uwukwenza iseva "isebenze kanzima", icubungule "izicelo ezibonakala zingokoqobo" eziningi futhi ishiywe ngaphandle kwezinsiza zezicelo zangempela.
Nakuba kukhona okunye ukuhlasela, lezi yizona ezivame kakhulu.
Ukuhlaselwa okubi kakhulu ezingeni le-L7 kwakhiwa ngendlela ehlukile kuphrojekthi ngayinye ehlaselwayo.
Kungani amaqembu ama-2?
Ngoba baningi abakwaziyo ukuxosha ukuhlasela kahle ezingeni le-L3/L4, kodwa noma bangathathi ukuvikelwa ezingeni lesicelo (L7) nhlobo, noma basebuthakathaka kunezinye izindlela ekubhekaneni nabo.
Ubani osemakethe yokuvikela ye-DDoS
(umbono wami siqu)
Ukuvikelwa ezingeni L3/L4
Ukuxosha ukuhlasela ngokukhulisa ("ukuvinjwa" kwesiteshi seseva), kuneziteshi ezibanzi ezanele (eziningi zezinsizakalo zokuvikela zixhumeka kubahlinzeki abaningi be-backbone eRussia futhi zineziteshi ezinomthamo wethiyori ongaphezu kwe-1 Tbit). Ungakhohlwa ukuthi ukuhlaselwa kwe-amplification okungavamile kakhulu kuthatha isikhathi esingaphezu kwehora. Uma ungu-Spamhaus futhi wonke umuntu engakuthandi, yebo, angase azame ukuvala iziteshi zakho izinsuku ezimbalwa, ngisho noma engcupheni yokusinda okuqhubekayo kwe-botnet yomhlaba wonke esetshenziswayo. Uma unesitolo se-inthanethi nje, ngisho noma kuyi-mvideo.ru, ngeke ubone i-Tbit engu-1 ezinsukwini ezimbalwa maduze (ngiyethemba).
Ukuze uxoshe ukuhlasela ngezikhukhula ze-SYN/ACK, ukuhlukaniswa kwephakethe, njll., udinga okokusebenza noma amasistimu esofthiwe ukuze uthole futhi umise lokho kuhlasela.
Abantu abaningi bakhiqiza imishini enjalo (i-Arbor, kunezixazululo ezivela ku-Cisco, Huawei, ukuqaliswa kwesofthiwe evela ku-Wanguard, njll.), opharetha abaningi be-backbone sebevele bayifakile futhi bathengisa izinsizakalo zokuvikela i-DDoS (Ngiyazi mayelana nokufakwa okuvela ku-Rostelecom, Megafon, TTK, MTS , empeleni, bonke abahlinzeki abakhulu benza okufanayo nabasingathi ngokuvikelwa kwabo a-la OVH.com, Hetzner.de, mina ngokwami ngihlangabezane nokuvikelwa ku-ihor.ru). Ezinye izinkampani zakha ezazo izixazululo zesofthiwe (ubuchwepheshe obufana ne-DPDK bukuvumela ukuthi ucubungule amashumi amagigabhithi omgwaqo emshinini owodwa we-x86).
Kubadlali abaziwayo, wonke umuntu angakwazi ukulwa ne-L3/L4 DDoS ngokuphumelelayo noma kancane. Manje ngeke ngisho ukuthi ubani onamandla amakhulu wesiteshi (lokhu ulwazi lwangaphakathi), kodwa ngokuvamile lokhu akubalulekile kangako, futhi umehluko kuphela ukuthi ukuvikela kuqalwa ngokushesha kangakanani (ngokuphazima kweso noma ngemva kwemizuzu embalwa yesikhathi sokuphumula sephrojekthi, njengaseHetzner).
Umbuzo uthi lokhu kwenziwa kahle kanjani: ukuhlasela kwe-amplification kungahoxiswa ngokuvimba ithrafikhi evela emazweni anenani elikhulu lethrafikhi eyingozi, noma kuphela ithrafikhi engadingekile engalahlwa.
Kodwa ngesikhathi esifanayo, ngokusekelwe kokuhlangenwe nakho kwami, bonke abadlali bemakethe abanzima babhekana nalokhu ngaphandle kwezinkinga: I-Qrator, i-DDoS-Guard, i-Kaspersky, i-G-Core Labs (ngaphambili eyayiyi-SkyParkCDN), i-ServicePipe, i-Stormwall, i-Voxility, njll.
Angikaze ngihlangabezane nokuvikelwa kuma-opharetha afana ne-Rostelecom, i-Megafon, i-TTK, i-Beeline; ngokusho kokubuyekezwa kozakwethu, bahlinzeka ngalezi zinsizakalo kahle, kodwa kuze kube manje ukuntuleka kokuhlangenwe nakho kuthinta ngezikhathi ezithile: ngezinye izikhathi udinga ukulungisa okuthile ngokusekela. yomqhubi wokuvikela.
Abanye o-opharetha banesevisi ehlukile “yokuvikela ekuhlaselweni ezingeni le-L3/L4”, noma “ukuvikelwa kwesiteshi”; kubiza kancane kakhulu kunokuvikela kuwo wonke amazinga.
Kungani umhlinzeki womgogodla engaxoshi ukuhlaselwa kwamakhulu ama-Gbits, njengoba engenazo iziteshi zawo?Umsebenzisi wokuvikela angaxhuma kunoma yibaphi abahlinzeki abakhulu futhi axoshe ukuhlasela “ngezindleko zakhe.” Kuzodingeka ukhokhele isiteshi, kodwa wonke la makhulu ama-Gbits ngeke asetshenziswe njalo; kunezinketho zokunciphisa kakhulu izindleko zamashaneli kulokhu, ukuze uhlelo luhlale lusebenza.
Lena imibiko engangiyithola njalo ekuvikelweni kwezinga eliphezulu le-L3/L4 ngenkathi ngisekela izinhlelo zabahlinzeki bokusingatha.
Ukuvikelwa ezingeni le-L7 (izinga lohlelo lokusebenza)
Ukuhlasela ezingeni le-L7 (izinga lohlelo lokusebenza) kuyakwazi ukuxosha amayunithi ngokungaguquki nangempumelelo.
Nginolwazi oluningi lwangempela nge
- Qrator.net;
- I-DDoS-Guard;
- G-Core Labs;
- Kaspersky.
Bakhokhisa i-megabit ngayinye yethrafikhi ehlanzekile, i-megabit ibiza cishe ama-ruble ayizinkulungwane ezimbalwa. Uma okungenani une-100 Mbps yethrafikhi emsulwa - oh. Ukuvikela kuzobiza kakhulu. Ngingakutshela ezihlokweni ezilandelayo ukuthi ungaklama kanjani izinhlelo zokusebenza ukuze wonge okuningi kumthamo weziteshi zokuphepha.
"Inkosi yentaba" yangempela yi-Qrator.net, okusele ngemuva kwabo. I-Qrator kuze kube manje yibo kuphela kokuhlangenwe nakho kwami abanikeza iphesenti lokuhle okungamanga eduze no-zero, kodwa ngesikhathi esifanayo zibiza izikhathi eziningana kunabanye abadlali bemakethe.
Abanye o-opharetha nabo bahlinzeka ngokuvikeleka kwekhwalithi ephezulu nozinzile. Izinsizakalo eziningi ezisekelwa yithi (okuhlanganisa nezidume kakhulu ezweni!) zivikelwe ku-DDoS-Guard, G-Core Labs, futhi zanelisekile ngemiphumela etholiwe.
Ukuhlasela kuxoshwe yi-Qrator
Ngiphinde ngibe nolwazi ngama-opharetha okuphepha amancane afana ne-cloud-shield.ru, i-ddosa.net, izinkulungwane zabo. Ngokuqinisekile ngeke ngikuncome, ngoba... Anginalo ulwazi oluningi, kodwa ngizokutshela ngezimiso zomsebenzi wabo. Izindleko zabo zokuvikela ngokuvamile ziba ama-oda angu-1-2 obukhulu obuphansi kunalawo abadlali abakhulu. Njengomthetho, bathenga isevisi yokuvikela ingxenye (L3/L4) komunye wabadlali abakhulu + benza isivikelo sabo ekuhlaselweni emazingeni aphezulu. Lokhu kungase kusebenze kahle + ungathola isevisi enhle ngemali encane, kodwa lezi kuseyizinkampani ezincane ezinezisebenzi ezincane, sicela ukugcine lokho engqondweni.
Yibuphi ubunzima bokuxosha ukuhlasela ezingeni le-L7?
Zonke izinhlelo zokusebenza zihlukile, futhi udinga ukuvumela ithrafikhi ewusizo kuzo futhi uvimbele eziyingozi. Akwenzeki ngaso sonke isikhathi ukukhipha ama-bots ngokungangabazeki, ngakho-ke kufanele usebenzise amadigri amaningi, AMANINGI ngempela wokuhlanzwa kwethrafikhi.
Ngesinye isikhathi, imojula ye-nginx-testcookie yayanele (), futhi kusanele ukuxosha inani elikhulu lokuhlaselwa. Ngenkathi ngisebenza embonini yokubamba, ukuvikelwa kwe-L7 kwakusekelwe ku-nginx-testcookie.
Ngeshwa, ukuhlasela kuye kwaba nzima kakhulu. I-testcookie isebenzisa ukuhlola kwe-bot okusekelwe ku-JS, futhi ama-bot amaningi esimanje angawadlula ngempumelelo.
Ama-botnets okuhlasela nawo ahlukile, futhi izici ze-botnet ngayinye enkulu kufanele zicatshangelwe.
Ukukhulisa, izikhukhula eziqondile ezivela ku-botnet, ukuhlunga ithrafikhi evela emazweni ahlukene (ukuhlungwa okuhlukile kwamazwe ahlukene), izikhukhula ze-SYN/ACK, ukuhlukaniswa kwephakethe, i-ICMP, izikhukhula ze-http, kuyilapho ezingeni lesicelo/http ungathola inombolo engenamkhawulo ye ukuhlasela okuhlukene.
Sekukonke, ezingeni lokuvikelwa kwesiteshi, imishini ekhethekile yokuhlanza ithrafikhi, isofthiwe ekhethekile, izilungiselelo zokuhlunga ezengeziwe zeklayenti ngalinye kungaba khona amashumi namakhulu amazinga okuhlunga.
Ukuze uphathe kahle lokhu futhi ushune kahle izilungiselelo zokuhlunga zabasebenzisi abahlukene, udinga ulwazi oluningi kanye nezisebenzi eziqeqeshiwe. Ngisho nomsebenzisi omkhulu onqume ukuhlinzeka ngezinsizakalo zokuvikela akakwazi "ukuphonsa imali ngobuwula enkingeni": ulwazi kuzodingeka luzuzwe kumasayithi amanga kanye nemibono engamanga kuthrafikhi esemthethweni.
Ayikho inkinobho “xosha i-DDoS” ku-opharetha wezokuphepha; kunenani elikhulu lamathuluzi, futhi udinga ukwazi ukuthi asetshenziswa kanjani.
Futhi esinye isibonelo sebhonasi.
Iseva engavikelekile ivinjwe umsingathi ngesikhathi sokuhlasela ngomthamo ongu-600 Mbit
(“Ukulahlekelwa” kwethrafikhi akubonakali, ngoba isayithi elingu-1 kuphela elihlaselwe, likhishwe okwesikhashana kuseva futhi ukuvinjelwa kwasuswa phakathi nehora).
Iseva efanayo ivikelekile. Abahlaseli "bazinikele" ngemuva kosuku lokuhlaselwa okuchithiwe. Ukuhlasela ngokwako bekungekona okunamandla.
Ukuhlasela nokuvikela i-L3/L4 kuyinto encane kakhulu; incike kakhulu ekushubeni kwamashaneli, ukutholwa nokuhlunga ama-algorithms okuhlasela.
Ukuhlasela kwe-L7 kuyinkimbinkimbi kakhulu futhi kwangempela; kuncike ekuhlaselweni kwesicelo, amakhono kanye nemicabango yabahlaseli. Ukuvikela ngokumelene nabo kudinga ulwazi oluningi nolwazi, futhi umphumela ungase ungabi ngokushesha futhi ungabi amaphesenti ayikhulu. Kwaze kwaba yilapho i-Google iqhamuka nenye inethiwekhi ye-neural yokuvikela.
Source: www.habr.com