Isilingo: kungenzeka yini ukunciphisa imiphumela emibi yokuhlaselwa kwe-DoS usebenzisa ummeleli?

Isithombe: Unsplash

Ukuhlaselwa kwe-DoS kungenye yezinsongo ezinkulu ekuvikelekeni kolwazi ku-inthanethi yesimanje. Kunenqwaba yama-botnet abahlaseli abawaqashayo ukuze benze ukuhlasela okunjalo.

Ososayensi abavela eNyuvesi yaseSan Diego benza ukutadisha Ukusetshenziswa kwama-proxies kusiza kanjani ukwehlisa umthelela omubi wokuhlaselwa kwe-DoS - sethula ukunaka kwakho imiqondo eyinhloko yalo msebenzi.

Isingeniso: ummeleli njengethuluzi lokulwa ne-DoS

Ukuhlola okufanayo kwenziwa ngezikhathi ezithile abacwaningi abavela emazweni ahlukene, kodwa inkinga yabo evamile ukuntuleka kwezinsiza zokulingisa ukuhlasela okuseduze neqiniso. Ukuhlolwa emabhentshini amancane okuhlola akuvumeli ukuphendula imibuzo mayelana nokuthi ama-proxies azomelana kanjani ngempumelelo namanethiwekhi ayinkimbinkimbi, yiziphi imingcele ezidlala indima ebalulekile ekhonweni lokunciphisa umonakalo, njll.

Ocwaningweni, ososayensi badale imodeli yohlelo lokusebenza lwewebhu olujwayelekile - isibonelo, isevisi ye-e-commerce. Isebenza kusetshenziswa iqoqo lamaseva; abasebenzisi basabalaliswa ezindaweni ezahlukene futhi basebenzise i-inthanethi ukuze bafinyelele insiza. Kule modeli, i-inthanethi isebenza njengendlela yokuxhumana phakathi kwesevisi nabasebenzisi - yile ndlela izinsiza zewebhu ezisuka ezinjini zokusesha ukuya kumathuluzi ebhange aku-inthanethi asebenza ngayo.

Ukuhlaselwa kwe-DoS kwenza ukuxhumana okuvamile phakathi kwesevisi nabasebenzisi kungenzeki. Kunezinhlobo ezimbili ze-DoS: ukuhlaselwa kwezinga lesicelo kanye nezinga lengqalasizinda. Esimweni sokugcina, abahlaseli bahlasela ngokuqondile inethiwekhi kanye nababungazi lapho isevisi isebenza khona (isibonelo, bavala wonke umkhawulokudonsa wenethiwekhi ngethrafikhi yezikhukhula). Esimeni sokuhlaselwa kwezinga lohlelo lokusebenza, umhlaseli aqondise kuwo i-interface yomsebenzisi - ukwenza lokhu, bathumela inani elikhulu lezicelo ukuze babangele ukuthi uhlelo lokusebenza luphahlazeke. Ukuhlolwa kuchaze ukuhlaselwa okuthintekayo ezingeni lengqalasizinda.

Amanethiwekhi ommeleli angelinye lamathuluzi okunciphisa umonakalo ovela ekuhlaselweni kwe-DoS. Uma usebenzisa ummeleli, zonke izicelo ezivela kumsebenzisi eziya kusevisi nezimpendulo kubo azithunyelwa ngokuqondile, kodwa ngamaseva aphakathi. Kokubili umsebenzisi nohlelo lokusebenza “akubonani” ngokuqondile; amakheli ommeleli kuphela atholakala kubo. Ngenxa yalokho, akunakwenzeka ukuhlasela isicelo ngokuqondile. Emaphethelweni enethiwekhi kukhona okuthiwa ama-edge proxies - ama-proxies angaphandle anamakheli e-IP atholakalayo, uxhumano luya kubo kuqala.

Ukuze umelane ngempumelelo nokuhlaselwa kwe-DoS, inethiwekhi yommeleli kufanele ibe namakhono abalulekile amabili. Okokuqala, inethiwekhi enjalo ephakathi kufanele idlale indima yomxhumanisi, okungukuthi, isicelo "singafinyelelwa" ngayo kuphela. Lokhu kuzoqeda ukuthi kungenzeka ukuhlaselwa okuqondile kwenkonzo. Okwesibili, inethiwekhi yommeleli kufanele ikwazi ukuvumela abasebenzisi ukuthi basahlanganyele nohlelo lokusebenza ngisho nangesikhathi sokuhlasela.

Hlola ingqalasizinda

Ucwaningo lusebenzise izingxenye ezine ezibalulekile:

• ukuqaliswa kwenethiwekhi yommeleli;
• Iseva yewebhu ye-Apache;
• ithuluzi lokuhlola iwebhu Siege;
• ithuluzi lokuhlasela I-Trinoo.

Ukulingisa kwenziwa endaweni ye-MicroGrid - ingasetshenziswa ukulingisa amanethiwekhi anama-routers ayizinkulungwane ezingu-20, afana namanethiwekhi ama-opharetha we-Tier-1.

Inethiwekhi evamile ye-Trinoo iqukethe isethi yabasingathi abasengozini abasebenzisa i-daemon yohlelo. Kukhona nesofthiwe yokuqapha yokuqapha inethiwekhi nokuqondisa ukuhlaselwa kwe-DoS. Ngemva kokuthola uhlu lwamakheli e-IP, i-daemon ye-Trinoo ithumela amaphakethe e-UDP kokuhlosiwe ngezikhathi ezithile.

Ngesikhathi sokuhlolwa, amaqoqo amabili asetshenzisiwe. Isifanisi se-MicroGrid sisebenze kuqoqo le-Xeon Linux elingu-16-node (amaseva angu-2.4GHz anenkumbulo engu-1 gigabhayithi emshinini ngamunye) axhunywe ngehabhu le-Ethernet elingu-1 Gbps. Ezinye izingxenye zesofthiwe zazitholakala kuqoqo lamanodi angu-24 (450MHz PII Linux-cthdths enememori engu-1 GB emshinini ngamunye), exhunywe ihabhu le-Ethernet elingu-100Mbps. Amaqoqo amabili axhunywe isiteshi esingu-1Gbps.

Inethiwekhi yommeleli isingathwe kuqoqo labasingathi abayi-1000. Ama-Edge proxies asatshalaliswa ngokulinganayo kulo lonke uhlobo lwezinsiza. Amaphrokzi okusebenza nohlelo atholakala kubabungazi abaseduze nengqalasizinda yayo. Ama-proxy asele asabalaliswa ngokulinganayo phakathi kwama-edge kanye nama-proxies ohlelo lokusebenza.

Inethiwekhi yokulingisa

Ukuze batadishe ukusebenza kommeleli njengethuluzi lokulwa nokuhlaselwa kwe-DoS, abacwaningi balinganise ukukhiqiza kohlelo lokusebenza ngaphansi kwezimo ezihlukene zokuthonya kwangaphandle. Kube nesamba sama-proxies angu-192 kunethiwekhi yommeleli (angama-64 kubo onqenqemeni). Ukwenza lokhu kuhlasela, kwadalwa inethiwekhi ye-Trinoo, kuhlanganise namademoni ayi-100. Idemoni ngalinye linesiteshi esingu-100Mbps. Lokhu kuhambisana ne-botnet yamarutha asekhaya ayinkulungwane eziyi-10.

Umthelela wokuhlaselwa kwe-DoS kuhlelo lokusebenza kanye nenethiwekhi yommeleli ukaliwe. Ekucushweni kokuhlola, uhlelo lokusebenza belineshaneli ye-inthanethi engu-250 Mbps, futhi ummeleli onqenqemeni ngamunye ube nesiteshi esingu-100 Mbps.

Imiphumela yokuhlola

Ngokusekelwe emiphumeleni yokuhlaziywa, kwavela ukuthi ukuhlasela kwe-250Mbps kwandisa kakhulu isikhathi sokuphendula sohlelo lokusebenza (cishe izikhathi eziyishumi), ngenxa yalokho kuba nzima ukuyisebenzisa. Nokho, uma usebenzisa inethiwekhi yommeleli, ukuhlasela akunawo umthelela obalulekile ekusebenzeni futhi akwehlisi umuzwa womsebenzisi. Lokhu kwenzeka ngenxa yokuthi abameleli bonqenqema banciphisa umphumela wokuhlasela, futhi isamba semithombo yenethiwekhi yommeleli singaphezulu kwalezo zohlelo lokusebenza ngokwalo.

Ngokwezibalo, uma amandla okuhlasela engeqi ku-6.0Gbps (naphezu kokuphelele kweziteshi zommeleli onqenqemeni kube ngu-6.4Gbps kuphela), abasebenzisi abangu-95% ababoni ukwehla okubonakalayo ekusebenzeni. Ngaphezu kwalokho, esimweni sokuhlasela okunamandla okudlula i-6.4Gbps, ngisho nokusetshenziswa kwenethiwekhi yommeleli bekungeke kugweme ukucekelwa phansi kwezinga lesevisi kubasebenzisi bokugcina.

Esimeni sokuhlaselwa okugxilile, lapho amandla abo egxile kusethi engahleliwe yama-edge proxies. Kulesi simo, ukuhlasela kuvala ingxenye yenethiwekhi yommeleli, ngakho ingxenye enkulu yabasebenzisi izobona ukwehla kokusebenza.

okutholakele

Imiphumela yokuhlolwa iphakamisa ukuthi amanethiwekhi ommeleli angathuthukisa ukusebenza kwezinhlelo zokusebenza ze-TCP futhi anikeze ileveli evamile yesevisi kubasebenzisi, ngisho noma kwenzeka ukuhlaselwa kwe-DoS. Ngokuya ngedatha etholiwe, amanethiwekhi ommeleli aphenduka ayindlela esebenzayo yokunciphisa imiphumela yokuhlaselwa; abasebenzisi abangaphezu kuka-90% abazange bezwe ukwehla kwekhwalithi yesevisi phakathi nokuhlolwa. Ngaphezu kwalokho, abacwaningi bathola ukuthi njengoba usayizi wenethiwekhi ye-proxy ukhula, izinga lokuhlaselwa kwe-DoS elingakwazi ukumelana nalo likhuphuka cishe ngokulandelana. Ngakho-ke, uma inethiwekhi inkulu, izolwa ngokuphumelelayo ne-DoS.

Izixhumanisi eziwusizo nezinto zokwakha ezivela I-Infatica:

• Ucwaningo: Ukudala isevisi yommeleli ongavimbeli kusetshenziswa ithiyori yegeyimu
• Umlando wokulwa nokucwaninga: indlela ye-flash proxy eyakhiwe ososayensi abavela eMIT naseStanford isebenza kanjani
• Uqondwa kanjani uma ama-proxies eqamba amanga: ukuqinisekiswa kwezindawo ezibonakalayo zama-proxi enethiwekhi kusetshenziswa i-algorithm ye-geolocation esebenzayo
• Ungazifihla kanjani ku-inthanethi: ukuqhathanisa iseva kanye nama-proxies ahlala

Umthombo: www.habr.com