I-Variti ithuthukisa ukuvikeleka ekuhlaselweni kwe-bots ne-DDoS, futhi yenza nokucindezeleka nokuhlolwa komthwalo. Engqungqutheleni ye-HighLoad++ 2018 sikhulume ngendlela yokuvikela izinsiza ezinhlotsheni ezihlukahlukene zokuhlaselwa. Ngamafuphi: hlukanisa izingxenye zesistimu, sebenzisa izinsizakalo zamafu nama-CDN, futhi ubuyekeze njalo. Kodwa ngeke ukwazi ukuphatha ukuvikela ngaphandle kwezinkampani ezikhethekile :)
Ngaphambi kokufunda umbhalo, ungafunda izifinyezo ezimfushane .
Futhi uma ungathandi ukufunda noma ufuna nje ukubuka ividiyo, ukurekhodwa kombiko wethu kungezansi ngaphansi kwespoiler.
Ukuqoshwa kwevidiyo yombiko
Izinkampani eziningi seziyazi ukuthi kwenziwa kanjani ukuhlolwa komthwalo, kodwa akuzona zonke ezihlola ukucindezeleka. Amanye amakhasimende ethu acabanga ukuthi isayithi labo alinangozi ngoba linesistimu yokulayisha okuphezulu, futhi ivikela kahle ekuhlaselweni. Sikhombisa ukuthi lokhu akulona iqiniso ngokuphelele.
Yiqiniso, ngaphambi kokwenza izivivinyo, sithola imvume kukhasimende, isayinwe futhi yagxivizwa, futhi ngosizo lwethu ukuhlasela kwe-DDoS akukwazi ukwenziwa kunoma ubani. Ukuhlolwa kwenziwa ngesikhathi esikhethwe yikhasimende, lapho ithrafikhi eya esisetshenziswa sayo incane, futhi izinkinga zokufinyelela ngeke zithinte amaklayenti. Ngaphezu kwalokho, njengoba kukhona okungahlala kungalungile ngesikhathi senqubo yokuhlola, sihlala sithintana nekhasimende. Lokhu kukuvumela ukuthi ungagcini nje ngokubika imiphumela ezuziwe, kodwa futhi uguqule okuthile phakathi nokuhlolwa. Ngemva kokuphothula ukuhlola, sihlala sidweba umbiko lapho sikhomba khona ukushiyeka okutholiwe futhi sinikeze izincomo zokuqeda ubuthakathaka besayithi.
Sisebenza kanjani
Lapho sihlola, silingisa i-botnet. Njengoba sisebenza namakhasimende angekho kumanethiwekhi ethu, ukuze siqinisekise ukuthi ukuhlolwa akupheli ngomzuzu wokuqala ngenxa yemikhawulo noma ukuvikelwa okucushiwe, asihlinzeki ngomthwalo nge-IP eyodwa, kodwa sisuka ku-subnet yethu. Futhi, ukuze sidale umthwalo obalulekile, sineseva yethu yokuhlola enamandla.
Ama-postulates
Ukuningi kakhulu akusho okuhle
Uma umthwalo omncane singaletha insiza ekuhlulekeni, kuba ngcono. Uma ungenza isayithi liyeke ukusebenza ngesicelo esisodwa ngomzuzwana, noma isicelo esisodwa ngomzuzu, kuhle lokho. Ngoba ngokomthetho wobubi, abasebenzisi noma abahlaseli bazowela ngephutha kulobu bungozi.
Ukwehluleka ingxenye kungcono kunokwehluleka okuphelele
Sihlala seluleka ukwenza amasistimu ahluke. Ngaphezu kwalokho, kufanelekile ukuwahlukanisa ezingeni lomzimba, hhayi nje ngokufaka iziqukathi. Endabeni yokuhlukaniswa ngokomzimba, ngisho noma okuthile kwehluleka kusayithi, kunethuba elikhulu lokuthi ngeke liyeke ukusebenza ngokuphelele, futhi abasebenzisi bazoqhubeka nokufinyelela okungenani ingxenye yokusebenza.
Izakhiwo ezinhle ziyisisekelo sokusimama
Ukubekezelelwa kwephutha kwensiza kanye nekhono layo lokumelana nokuhlaselwa kanye nemithwalo kufanele kubekwe phansi esiteji sokuklama, empeleni, esigabeni sokudweba ama-flowcharts okuqala encwadini yokubhalela. Ngoba uma amaphutha abulalayo engena, kungenzeka ukuwalungisa esikhathini esizayo, kodwa kunzima kakhulu.
Akuwona kuphela ikhodi okufanele ibe yinhle, kodwa futhi ne-config
Abantu abaningi bacabanga ukuthi ithimba elihle lokuthuthukiswa liyisiqinisekiso senkonzo yokubekezelela amaphutha. Iqembu elihle lokuthuthukisa liyadingeka ngempela, kodwa futhi kufanele kube nokusebenza okuhle, ama-DevOps amahle. Okusho ukuthi, sidinga ochwepheshe abazolungisa kahle i-Linux nenethiwekhi, babhale ukulungiselelwa kahle ku-nginx, babeke imikhawulo, njll. Uma kungenjalo, insiza izosebenza kahle kuphela ekuhlolweni, futhi ngesikhathi esithile konke kuzophuka ekukhiqizeni.
Umehluko phakathi kokuhlolwa komthwalo nokucindezeleka
Ukuhlolwa komthwalo kukuvumela ukuthi ubone imikhawulo yokusebenza kwesistimu. Ukuhlola ukucindezeleka kuhloswe ekutholeni ubuthakathaka ohlelweni futhi kusetshenziselwa ukuphula lesi simiso futhi sibone ukuthi sizoziphatha kanjani ohlelweni lokuhluleka kwezingxenye ezithile. Kulokhu, uhlobo lomthwalo ngokuvamile luhlala lungaziwa ekhasimendeni ngaphambi kokuqala kokuhlolwa kokucindezeleka.
Izici ezihlukile zokuhlasela kwe-L7
Ngokuvamile sihlukanisa izinhlobo zomthwalo zibe imithwalo emazingeni e-L7 kanye ne-L3&4. I-L7 iwumthwalo ezingeni lohlelo lokusebenza, ngokuvamile isho i-HTTP kuphela, kodwa sisho noma yimuphi umthwalo ezingeni lephrothokholi ye-TCP.
Ukuhlasela kwe-L7 kunezici ezithile ezihlukile. Okokuqala, beza ngqo kuhlelo lokusebenza, okungukuthi, akunakwenzeka ukuthi bazobonakala ngezindlela zenethiwekhi. Ukuhlaselwa okunjalo kusebenzisa i-logic, futhi ngenxa yalokhu, kudla i-CPU, inkumbulo, idiski, i-database nezinye izinsiza ngokuphumelelayo nangethrafikhi encane.
Isikhukhula se-HTTP
Endabeni yanoma yikuphi ukuhlaselwa, umthwalo kulula ukudala kunokusingatha, futhi esimweni se-L7 lokhu kuyiqiniso. Akulula ngaso sonke isikhathi ukuhlukanisa ithrafikhi yokuhlasela kusuka kuthrafikhi esemthethweni, futhi ngokuvamile lokhu kungenziwa ngokuphindaphindiwe, kodwa uma konke kuhlelwe ngendlela efanele, khona-ke akunakwenzeka ukuqonda kusukela ezingodweni lapho ukuhlaselwa kukuphi nokuthi izicelo ezisemthethweni zikuphi.
Njengesibonelo sokuqala, cabanga ngokuhlaselwa kwe-HTTP Flood. Igrafu ibonisa ukuthi ukuhlasela okunjalo kuvame ukuba namandla kakhulu; esibonelweni esingezansi, inani eliphakeme lezicelo lidlule izinkulungwane ezingama-600 ngomzuzu.
I-HTTP Flood iyindlela elula yokudala umthwalo. Ngokuvamile, kuthatha uhlobo oluthile lwethuluzi lokuhlola umthwalo, njenge-ApacheBench, bese usetha isicelo kanye nethagethi. Ngendlela elula kangaka, kunethuba eliphezulu lokungena kunqolobane yeseva, kodwa kulula ukukudlula. Isibonelo, ukungeza izintambo ezingahleliwe esicelweni, okuzophoqa iseva ukuthi inikeze njalo ikhasi elisha.
Futhi, ungakhohlwa mayelana ne-ejenti yomsebenzisi ohlelweni lokudala umthwalo. Abasebenzisi abaningi bamathuluzi okuhlola adumile ahlungwa ngabaphathi besistimu, futhi kulokhu umthwalo ungase ungafinyeleli emuva. Ungakwazi ukuthuthukisa kakhulu umphumela ngokufaka unhlokweni ovumelekile kakhulu noma ongaphansi ovela kusiphequluli esicelweni.
Njengoba kulula njengokuhlasela kweSikhukhula se-HTTP, nakho kunezinkinga zakho. Okokuqala, inani elikhulu lamandla liyadingeka ukudala umthwalo. Okwesibili, ukuhlaselwa okunjalo kulula kakhulu ukukubona, ikakhulukazi uma kuvela ekhelini elilodwa. Ngenxa yalokho, izicelo ziqala ngokushesha ukuhlungwa ngabaphathi besistimu noma ngisho nasezingeni lomhlinzeki.
Okufanele ukuseshe
Ukuze unciphise inani lezicelo ngomzuzwana ngaphandle kokulahlekelwa ukusebenza kahle, udinga ukukhombisa umcabango omncane futhi uhlole isayithi. Ngakho-ke, awukwazi ukulayisha kuphela isiteshi noma iseva, kodwa futhi izingxenye zohlelo lokusebenza, isibonelo, isizindalwazi noma izinhlelo zefayela. Ungabheka nezindawo esizeni ezenza izibalo ezinkulu: izibali, amakhasi okukhetha umkhiqizo, njll. Ekugcineni, kuvame ukwenzeka ukuthi isayithi linohlobo oluthile lombhalo we-PHP okhiqiza ikhasi lemigqa eyizinkulungwane ezingamakhulu ambalwa. Iskripthi esinjalo siphinde silayishe kakhulu iseva futhi singaba ithagethi yokuhlaselwa.
Ungabheka kuphi
Uma siskena insiza ngaphambi kokuhlola, siqala ngokubheka, vele, isayithi ngokwalo. Sifuna zonke izinhlobo zezinkambu zokufaka, amafayela asindayo - ngokuvamile, yonke into engadala izinkinga zesisetshenziswa futhi ibambezele ukusebenza kwayo. Amathuluzi okuthuthukisa i-Banal ku-Google Chrome ne-Firefox usizo lapha, abonisa izikhathi zokuphendula zekhasi.
Siphinde siskene izizinda ezingaphansi. Isibonelo, kunesitolo esithile se-inthanethi, abc.com, futhi sinesizinda esingaphansi kwe-admin.abc.com. Ngokunokwenzeka, leli yiphaneli yokuphatha egunyaziwe, kodwa uma ubeka umthwalo kuyo, ingadala izinkinga kumthombo oyinhloko.
Isayithi lingase libe nesizinda esingaphansi kwe-api.abc.com. Ngokunokwenzeka, lesi isisetshenziswa sezinhlelo zokusebenza zeselula. Uhlelo lokusebenza lungatholakala ku-App Store noma ku-Google Play, faka indawo yokufinyelela ekhethekile, hlukanisa i-API bese ubhalisa ama-akhawunti okuhlola. Inkinga ukuthi abantu bavame ukucabanga ukuthi noma yini evikelwe ngokugunyazwa ivikelekile ekunqatshelweni kokuhlaselwa kwezinsizakalo. Kuthiwa, ukugunyazwa yiyona CAPTCHA ehamba phambili, kodwa akunjalo. Kulula ukwenza ama-akhawunti okuhlola angu-10-20, kodwa ngokuwadala, sithola ukufinyelela ekusebenzeni okuyinkimbinkimbi nokungafihli.
Ngokwemvelo, sibheka umlando, ku-robots.txt naku-WebArchive, ViewDNS, futhi sibheke izinguqulo ezindala zesisetshenziswa. Ngezinye izikhathi kwenzeka ukuthi abathuthukisi baye baphuma, bathi, mail2.yandex.net, kodwa inguqulo yakudala, i-mail.yandex.net, ihlala. Le mail.yandex.net ayisasekelwa, izinsiza zokuthuthukisa azinikezwa yona, kodwa iyaqhubeka nokusebenzisa isizindalwazi. Ngokufanelekile, usebenzisa inguqulo yakudala, ungasebenzisa ngokuphumelelayo izinsiza ze-backend nakho konke okungemuva kwesakhiwo. Yiqiniso, lokhu akwenzeki ngaso sonke isikhathi, kodwa sisabhekana nalokhu kaningi.
Ngokwemvelo, sihlaziya yonke imingcele yesicelo kanye nesakhiwo sekhukhi. Ungakwazi, uthi, ulahle inani elithile kuhlu lwe-JSON ngaphakathi kwekhukhi, udale izidleke eziningi futhi wenze insiza isebenze isikhathi eside ngokungenangqondo.
Sesha umthwalo
Into yokuqala efika engqondweni lapho ucwaninga isayithi ukulayisha i-database, ngoba cishe wonke umuntu unosesho, futhi cishe wonke umuntu, ngeshwa, alivikelwe kabi. Ngesizathu esithile, onjiniyela abanaki ngokwanele ukusesha. Kodwa kunesincomo esisodwa lapha - akufanele wenze izicelo zohlobo olufanayo, ngoba ungase uhlangabezane ne-caching, njengoba kwenzeka ngesikhukhula se-HTTP.
Ukwenza imibuzo engahleliwe kusizindalwazi nakho akusebenzi ngaso sonke isikhathi. Kungcono kakhulu ukwenza uhlu lwamagama angukhiye ahambisana nosesho. Uma sibuyela esibonelweni sesitolo se-intanethi: ake sithi isayithi lithengisa amathayi emoto futhi likuvumela ukuthi usethe i-radius yamasondo, uhlobo lwemoto kanye neminye imingcele. Ngakho-ke, inhlanganisela yamagama afanelekile izophoqa isizindalwazi ukuthi sisebenze ezimeni eziyinkimbinkimbi kakhulu.
Ukwengeza, kufanelekile ukusebenzisa i-pagination: kunzima kakhulu ukusesha ukubuyisela ikhasi eliphambili lemiphumela yosesho kunelokuqala. Okusho ukuthi, ngosizo lwe-pagination ungakwazi ukuhlukanisa kancane umthwalo.
Isibonelo esingezansi sibonisa umthwalo wosesho. Kungabonakala ukuthi kusukela ngomzuzwana wokuqala wokuhlolwa ngesivinini sezicelo eziyishumi ngomzuzwana, isayithi lehla futhi alizange liphendule.
Uma lungekho ukusesha?
Uma lungekho ukusesha, lokhu akusho ukuthi isayithi alinazo ezinye izinkambu zokufaka ezisengozini. Le nkambu ingase ibe isigunyazo. Namuhla, abathuthukisi bathanda ukwenza ama-hashes ayinkimbinkimbi ukuvikela imininingwane yokungena ekuhlaselweni kwetafula lothingo. Lokhu kuhle, kodwa ama-hashes anjalo adla izinsiza eziningi ze-CPU. Ukugeleza okukhulu kokugunyazwa okungamanga kuholela ekuhlulekeni kweprosesa, futhi ngenxa yalokho, isayithi liyayeka ukusebenza.
Ukuba khona esizeni sazo zonke izinhlobo zamafomu okuphawula kanye nempendulo kuyisizathu sokuthumela imibhalo emikhulu kakhulu lapho noma nje udale isikhukhula esikhulu. Kwesinye isikhathi amasayithi amukela amafayela anamathiselwe, okuhlanganisa nefomethi ye-gzip. Kulokhu, sithatha ifayela le-1TB, silicindezele kuma-byte ambalwa noma ama-kilobytes sisebenzisa i-gzip bese siyithumela kusayithi. Khona-ke iyasuswa futhi kutholakale umphumela othakazelisayo kakhulu.
Phumula i-API
Ngingathanda ukunaka kancane izinsiza ezidumile njenge-Rest API. Ukuvikela i-API Yokuphumula kunzima kakhulu kunewebhusayithi evamile. Ngisho nezindlela ezingasho lutho zokuvikela amandla e-password anonya kanye neminye imisebenzi engekho emthethweni ayisebenzi ku-Rest API.
I-Rest API kulula kakhulu ukuyiphula ngoba ifinyelela kusizindalwazi ngokuqondile. Ngesikhathi esifanayo, ukwehluleka kwenkonzo enjalo kuhilela imiphumela emibi kakhulu ebhizinisini. Iqiniso liwukuthi i-Rest API ngokuvamile ayisetshenziselwa iwebhusayithi eyinhloko kuphela, kodwa futhi nesicelo seselula nezinye izinsiza zebhizinisi zangaphakathi. Futhi uma konke lokhu kuwa, khona-ke umphumela unamandla kakhulu kunesimo sokuhluleka kwewebhusayithi okulula.
Ilayisha okuqukethwe okusindayo
Uma sinikezwa ukuhlola uhlelo lokusebenza olujwayelekile lwekhasi elilodwa, ikhasi lokubikezela, noma iwebhusayithi yekhadi lebhizinisi engenakho ukusebenza okuyinkimbinkimbi, sibheka okuqukethwe okusindayo. Isibonelo, izithombe ezinkulu ezithunyelwa yiseva, amafayela kanambambili, imibhalo ye-pdf - sizama ukulanda konke lokhu. Ukuhlola okunjalo kulayisha uhlelo lwefayela kahle futhi kuvale iziteshi, ngakho-ke kuyasebenza. Okusho ukuthi, ngisho noma ungabeki iseva phansi, ulanda ifayela elikhulu ngesivinini esiphansi, uzomane uvale isiteshi seseva eqondiwe bese kwenzeka ukuphika kwesevisi.
Isibonelo sokuhlolwa okunjalo sibonisa ukuthi ngesivinini se-30 RPS isayithi liyeke ukuphendula noma likhiqize amaphutha eseva angama-500.
Ungakhohlwa ngokusetha amaseva. Ngokuvamile ungathola ukuthi umuntu uthenge umshini obonakalayo, wafaka i-Apache lapho, walungisa yonke into ngokuzenzakalelayo, wafaka uhlelo lwe-PHP, futhi ngezansi ungabona umphumela.
Lapha umthwalo waya empandeni futhi wafinyelela ku-10 RPS kuphela. Silinde amaminithi angu-5 futhi iseva yaphahlazeka. Kuyiqiniso ukuthi akwaziwa ngokuphelele ukuthi kungani ewile, kodwa kunokucatshangwa ukuthi wayenenkumbulo eningi ngakho wayeka ukuphendula.
I-wave based
Ngonyaka noma emibili edlule, ukuhlasela kwamagagasi sekudume kakhulu. Lokhu kungenxa yokuthi izinhlangano eziningi zithenga izingcezu ezithile zehadiwe ukuze kuvikelwe i-DDoS, ezidinga isikhathi esithile ukuze ziqongelele izibalo ukuze ziqale ukuhlunga ukuhlasela. Okungukuthi, abahlungi ukuhlaselwa kumasekhondi okuqala angu-30-40, ngoba baqoqa idatha futhi bafunde. Ngakho-ke, kule mizuzwana ye-30-40 ungakwazi ukwethula okuningi kusayithi kangangokuthi insiza izolala isikhathi eside kuze kube yilapho zonke izicelo zisusiwe.
Endabeni yokuhlaselwa okungezansi, kube nesikhawu semizuzu engu-10, okwathi ngemva kwalokho kwafika ingxenye entsha, eshintshiwe yokuhlasela.
Okungukuthi, ukuzivikela kwafunda, kwaqala ukuhlunga, kodwa ingxenye entsha, ehluke ngokuphelele yokuhlasela yafika, futhi ukuzivikela kwaqala ukufunda futhi. Eqinisweni, ukuhlunga kuyayeka ukusebenza, ukuvikela kungasebenzi, futhi isayithi alitholakali.
Ukuhlaselwa kwamagagasi kubonakala ngamanani aphezulu kakhulu ekuphakameni, kungafinyelela izicelo eziyizinkulungwane eziyikhulu noma isigidi ngomzuzwana, esimweni se-L7. Uma sikhuluma nge-L3&4, khona-ke kungaba namakhulu ama-gigabits wethrafikhi, noma, ngokufanelekile, amakhulu ama-mpps, uma ubala emaphaketheni.
Inkinga ngokuhlaselwa okunjalo ukuvumelanisa. Ukuhlaselwa kuvela ku-botnet futhi kudinga izinga eliphezulu lokuvumelanisa ukuze udale i-spike yesikhathi esisodwa esikhulu kakhulu. Futhi lokhu kuhlanganisa akusebenzi ngaso sonke isikhathi: ngezinye izikhathi okukhiphayo kuwuhlobo oluthile lwe-parabolic peak, olubukeka ludabukisa.
Hhayi i-HTTP yodwa
Ngokungeziwe ku-HTTP ku-L7, sithanda ukuxhaphaza amanye amaphrothokholi. Njengomthetho, iwebhusayithi evamile, ikakhulukazi ukusingathwa okujwayelekile, inezivumelwano zemeyili kanye ne-MySQL ephumayo. Izivumelwano zemeyili zingaphansi komthwalo omncane kunezizindalwazi, kodwa zingaphinde zilayishwe kahle kakhulu futhi zigcine zine-CPU egcwele kakhulu kuseva.
Siphumelele impela sisebenzisa ukuba sengozini kwe-SSH yango-2016. Manje lobu bungozi bulungiselwe cishe wonke umuntu, kodwa lokhu akusho ukuthi umthwalo awukwazi ukuthunyelwa ku-SSH. Angakwazi. Kunomthwalo omkhulu wokugunyazwa, i-SSH idla cishe yonke i-CPU kuseva, bese iwebhusayithi iyawa esicelweni esisodwa noma ezimbili ngomzuzwana. Ngokufanelekile, lesi sicelo esisodwa noma ezimbili ezisekelwe kulogi azikwazi ukuhlukaniswa nomthwalo osemthethweni.
Izixhumanisi eziningi esizivula kumaseva nazo zihlala zibalulekile. Ngaphambilini, i-Apache yayinecala lalokhu, manje i-nginx empeleni inecala lalokhu, njengoba ivame ukulungiselelwa ngokuzenzakalelayo. Inombolo yoxhumo i-nginx engakwazi ukuyigcina ivuliwe ilinganiselwe, ngakho-ke sivula le nombolo yokuxhumana, i-nginx ayisamukeli uxhumano olusha, futhi ngenxa yalokho isayithi alisebenzi.
Iqoqo lethu lokuhlola line-CPU eyanele yokuhlasela ukuxhawulana kwe-SSL. Eqinisweni, njengoba umkhuba ubonisa, ama-botnets ngezinye izikhathi ayakuthanda ukwenza lokhu. Ngakolunye uhlangothi, kuyacaca ukuthi awukwazi ukwenza ngaphandle kwe-SSL, ngoba imiphumela ye-Google, izinga, ukuphepha. Ngakolunye uhlangothi, i-SSL ngeshwa inenkinga ye-CPU.
L3&4
Uma sikhuluma ngokuhlaselwa kwamazinga e-L3 & 4, sivame ukukhuluma ngokuhlaselwa ezingeni lesixhumanisi. Umthwalo onjalo cishe uhlale uhlukaniswa kusukela kosemthethweni, ngaphandle uma kuwukuhlasela kwe-SYN-flood. Inkinga ngokuhlaselwa kwe-SYN-flood yamathuluzi okuphepha umthamo wawo omkhulu. Inani eliphakeme le-L3&4 lalingu-1,5-2 Tbit/s. Lolu hlobo lwethrafikhi lunzima kakhulu ukulucubungula ngisho nasezinkampanini ezinkulu, ezihlanganisa i-Oracle ne-Google.
I-SYN ne-SYN-ACK amaphakethe asetshenziswa lapho kusungulwa uxhumano. Ngakho-ke, i-SYN-flood inzima ukuhlukanisa emthwalweni osemthethweni: akucaci ukuthi ngabe lokhu kuyi-SYN eze ukusungula uxhumano, noma ingxenye yesikhukhula.
UDP-izikhukhula
Ngokuvamile, abahlaseli abanawo amakhono esinawo, ngakho ukukhulisa kungasetshenziselwa ukuhlela ukuhlasela. Okusho ukuthi, umhlaseli uskena i-inthanethi futhi athole amaseva asengozini noma alungiselelwe ngokungalungile okuthi, isibonelo, ekuphenduleni iphakethe elilodwa le-SYN, aphendule ngama-SYN-ACK amathathu. Ngokonakalisa ikheli lomthombo ekhelini leseva eqondiwe, kungenzeka ukwandisa amandla ngokuthi, izikhathi ezintathu ngephakethe elilodwa futhi uqondise kabusha ithrafikhi kusisulu.
Inkinga nge-amplification ukuthi kunzima ukuyibona. Izibonelo zakamuva zifaka phakathi isimo esivusa amadlingozi sabasengcupheni be-memcached. Futhi, manje kunamadivayisi amaningi e-IoT, amakhamera we-IP, nawo ahlelwa kakhulu ngokuzenzakalelayo, futhi ngokuzenzakalelayo ahlelwa ngokungalungile, yingakho abahlaseli ngokuvamile behlasela ngokusebenzisa amathuluzi anjalo.
I-SYN-isikhukhula esinzima
I-SYN-flood cishe iwuhlobo oluthakazelisa kakhulu lokuhlasela ngokombono womthuthukisi. Inkinga ukuthi abaphathi besistimu bavame ukusebenzisa i-IP blocking ukuze bavikeleke. Ngaphezu kwalokho, ukuvinjwa kwe-IP akuthinti kuphela abaphathi besistimu abenza ngokusebenzisa imibhalo, kodwa futhi, ngeshwa, ezinye izinhlelo zokuphepha ezithengwa ngemali eningi.
Le ndlela ingaphenduka inhlekelele, ngoba uma abahlaseli beshintsha amakheli e-IP, inkampani izovimba i-subnet yayo. Lapho i-Firewall ivimba iqoqo layo, okukhiphayo kuzohluleka ukusebenzisana kwangaphandle futhi insiza izohluleka.
Ngaphezu kwalokho, akunzima ukuvimba inethiwekhi yakho. Uma ihhovisi leklayenti linenethiwekhi ye-Wi-Fi, noma uma ukusebenza kwezinsiza kukalwa kusetshenziswa izinhlelo ezihlukahlukene zokuqapha, khona-ke sithatha ikheli le-IP lalesi simiso sokuqapha noma ihhovisi leklayenti le-Wi-Fi futhi silisebenzise njengomthombo. Ekugcineni, insiza ibonakala itholakala, kodwa amakheli e-IP okuhlosiwe avinjelwe. Ngakho, inethiwekhi ye-Wi-Fi yenkomfa ye-HighLoad, lapho umkhiqizo omusha wenkampani wethulwa khona, ingase ivinjwe, futhi lokhu kuhlanganisa izindleko ezithile zebhizinisi nezomnotho.
Ngesikhathi sokuhlola, asikwazi ukusebenzisa i-amplification ngokusebenzisa i-memcached nanoma yiziphi izinsiza zangaphandle, ngoba kunezivumelwano zokuthumela ithrafikhi kuphela kumakheli e-IP avunyelwe. Ngokunjalo, sisebenzisa i-amplification nge-SYN ne-SYN-ACK, lapho uhlelo luphendula ekuthumeleni i-SYN eyodwa ngama-SYN-ACK amabili noma amathathu, futhi ekuphumeni ukuhlasela kuphindaphindwa kabili noma kathathu.
Amathuluzi
Elinye lamathuluzi ayinhloko esiwasebenzisela umthwalo we-L7 yi-Yandex-tank. Ikakhulukazi, i-phantom isetshenziswa njengesibhamu, futhi kunemibhalo eminingana yokukhiqiza ama-cartridges kanye nokuhlaziya imiphumela.
I-Tcpdump isetshenziselwa ukuhlaziya ithrafikhi yenethiwekhi, futhi i-Nmap isetshenziselwa ukuhlaziya iseva. Ukudala umthwalo ezingeni le-L3&4, i-OpenSSL kanye nomlingo wethu omncane nomtapo wezincwadi we-DPDK kusetshenziswa. I-DPDK iyilabhulali evela ku-Intel ekuvumela ukuthi usebenze nesixhumi esibonakalayo senethiwekhi udlula isitaki se-Linux, ngaleyo ndlela ukhulise ukusebenza kahle. Ngokwemvelo, asisebenzisi i-DPDK hhayi kuphela ezingeni le-L3 & 4, kodwa futhi ezingeni le-L7, ngoba lisivumela ukuthi senze ukugeleza komthwalo ophezulu kakhulu, ngaphakathi kwebanga lezicelo eziyizigidi ezimbalwa ngomzuzwana kusuka kumshini owodwa.
Siphinde sisebenzise amajeneretha athile ethrafikhi namathuluzi akhethekile esiwabhalela ukuhlolwa okuthile. Uma sikhumbula ubungozi ngaphansi kwe-SSH, isethi engenhla ayikwazi ukusetshenziswa. Uma sihlasela iphrothokholi yemeyili, sithatha izinsiza zemeyili noma simane sibhale imibhalo kuzo.
okutholakele
Njengesiphetho ngithanda ukuthi:
- Ngaphezu kokuhlolwa komthwalo wakudala, kuyadingeka ukwenza ukuhlolwa kokucindezeleka. Sinesibonelo sangempela lapho usonkontileka ongaphansi kazakwethu enze ukuhlola komthwalo kuphela. Kubonise ukuthi insiza ingakwazi ukumelana nomthwalo ovamile. Kodwa-ke kwavela umthwalo ongavamile, izivakashi zesayithi zaqala ukusebenzisa insiza ngokuhlukile, futhi ngenxa yalokho u-subcontractor walala phansi. Ngakho-ke, kufanelekile ukubheka ubungozi noma ngabe usuvikelekile ekuhlaselweni kwe-DDoS.
- Kuyadingeka ukuhlukanisa izingxenye ezithile zesistimu kwezinye. Uma unosesho, udinga ukulihambisa emishinini ehlukene, okungukuthi, hhayi ngisho naku-Docker. Ngoba uma ukusesha noma ukugunyazwa kwehluleka, okungenani okuthile kuzoqhubeka nokusebenza. Endabeni yesitolo esiku-inthanethi, abasebenzisi bazoqhubeka nokuthola imikhiqizo kukhathalogi, basuke ku-aggregator, bathenge uma isivele igunyaziwe, noma bagunyaze nge-OAuth2.
- Ungazinaki zonke izinhlobo zezinsizakalo zamafu.
- Sebenzisa i-CDN hhayi nje kuphela ukuze uthuthukise ukubambezeleka kwenethiwekhi, kodwa futhi njengendlela yokuzivikela ekuhlaselweni kokukhathala kwesiteshi kanye nokugcwala kuthrafikhi emile.
- Kuyadingeka ukusebenzisa izinsiza zokuvikela ezikhethekile. Awukwazi ukuzivikela ekuhlaselweni kwe-L3&4 ezingeni lesiteshi, ngoba cishe awunaso isiteshi esanele. Futhi akunakwenzeka ukuthi ulwe nokuhlasela kwe-L7, ngoba kungaba kukhulu kakhulu. Futhi, ukucinga ukuhlaselwa okuncane kuseyilungelo lezinsizakalo ezikhethekile, ama-algorithms akhethekile.
- Buyekeza njalo. Lokhu akusebenzi ku-kernel kuphela, kodwa naku-daemon ye-SSH, ikakhulukazi uma uwavulele ngaphandle. Empeleni, yonke into idinga ukubuyekezwa, ngoba akunakwenzeka ukuthi ukwazi ukulandelela ukukhubazeka okuthile ngokwakho.
Source: www.habr.com