I-ProHoster > Блог > Ukuphatha > Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Ezigabeni ezimbili zokuqala zika-2020, inani lokuhlaselwa kwe-DDoS licishe laphindeka kathathu, kanti ama-65% akho kuyimizamo yakudala "yokuhlola umthwalo" "ekhubaza" kalula izingosi ezingenakuzivikela zezitolo ezincane eziku-inthanethi, izinkundla, amabhulogi kanye nemithombo yezindaba.

Ungakukhetha kanjani ukusingathwa okuvikelwe kwe-DDoS? Yini okufanele uyinake futhi yini okufanele uyilungiselele ukuze ungagcini usesimweni esingemnandi?

(Ukugonyelwa ukumaketha “okumpunga” ngaphakathi)

Ukutholakala nenhlobonhlobo yamathuluzi okuhlasela kwe-DDoS kuphoqa abanikazi bezinsizakalo ze-inthanethi ukuthi bathathe izinyathelo ezifanele zokulwa nosongo. Kufanele ucabange ngokuvikelwa kwe-DDoS hhayi ngemva kokuhluleka kokuqala, futhi hhayi ngisho nengxenye yesethi yezinyathelo zokwandisa ukubekezelelana kwephutha kwengqalasizinda, kodwa esigabeni sokukhetha isiza sokubekwa (umhlinzeki wokubamba noma isikhungo sedatha).

Ukuhlaselwa kwe-DDoS kuhlukaniswa kuye ngezivumelwano lapho ubungozi bazo busetshenziswa kumazinga emodeli ye-Open Systems Interconnection (OSI):

  • isiteshi (L2),
  • inethiwekhi (L3),
  • ezokuthutha (L4),
  • kusetshenzisiwe (L7).

Ngokombono wezinhlelo zokuphepha, zingahlukaniswa zibe amaqembu amabili: ukuhlaselwa kwezinga lengqalasizinda (L2-L4) kanye nokuhlaselwa kwezinga lesicelo (L7). Lokhu kungenxa yokulandelana kokusetshenziswa kwe-algorithms yokuhlaziywa kwethrafikhi nokuba yinkimbinkimbi kwekhompyutha: lapho sibheka sijula ​​ephaketheni le-IP, kudingeka amandla ekhompuyutha engeziwe.

Ngokuvamile, inkinga yokuthuthukisa izibalo lapho ucubungula ithrafikhi ngesikhathi sangempela yisihloko sochungechunge oluhlukile lwama-athikili. Manje ake sicabange nje ukuthi kunomhlinzeki othile wamafu onezinsiza zekhompyutha ezingenamkhawulo ezingavikela amasayithi ekuhlaselweni kwezinga lohlelo lokusebenza (okuhlanganisa khulula).

Imibuzo emi-3 eyinhloko yokunquma izinga lokuvikeleka kokusingatha ngokumelene nokuhlaselwa kwe-DDoS

Ake sibheke imigomo yesevisi yokuvikela ekuhlaselweni kwe-DDoS kanye Nesivumelwano Sezinga Lesevisi (i-SLA) somhlinzeki wokusingatha. Ingabe ziqukethe izimpendulo zemibuzo elandelayo:

  • imiphi imikhawulo yezobuchwepheshe eshiwo umhlinzeki wesevisi??
  • kwenzekani uma ikhasimende leqa imikhawulo?
  • Umhlinzeki obambayo wenza kanjani ukuvikela ekuhlaselweni kwe-DDoS (ubuchwepheshe, izixazululo, abahlinzeki)?

Uma ungakalutholi lolu lwazi, lokhu kuyisizathu sokucabanga ngobucayi bomhlinzeki wesevisi, noma ukuhlela ukuvikelwa okuyisisekelo kwe-DDoS (L3-4) ngokwakho. Isibonelo, oda uxhumano olungokoqobo kunethiwekhi yomhlinzeki okhethekile wokuphepha.

Kubalulekile! Asikho iphuzu ekunikezeni isivikelo ekuhlaselweni kwezinga lohlelo lokusebenza usebenzisa i-Reverse Proxy uma umhlinzeki wakho osingethe engakwazi ukukunikeza ukuvikeleka ekuhlaselweni kwezinga lengqalasizinda: okokusebenza kwenethiwekhi kuzolayishwa ngokweqile futhi kungatholakali, okuhlanganisa namaseva abambayo omhlinzeki wamafu (Umfanekiso 1).

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Umfanekiso 1. Ukuhlasela okuqondile kunethiwekhi yomhlinzeki wokusingatha

Futhi ungabavumeli bazame ukukutshela izinganekwane ukuthi ikheli le-IP langempela leseva lifihliwe ngemuva kwefu lomhlinzeki wezokuphepha, okusho ukuthi akunakwenzeka ukulihlasela ngokuqondile. Ezimweni eziyisishiyagalolunye kweziyishumi, ngeke kube nzima kumhlaseli ukuthola ikheli le-IP langempela leseva noma okungenani inethiwekhi yomhlinzeki wokusingatha ukuze "abhubhise" yonke isikhungo sedatha.

Indlela izigebengu ezisebenza ngayo ekufuneni ikheli le-IP langempela

Ngezansi kwabaphangi kunezindlela ezimbalwa zokuthola ikheli le-IP langempela (elinikezwe izinjongo zolwazi).

Indlela 1: Sesha emithonjeni evulekile

Ungaqala usesho lwakho ngesevisi ye-inthanethi Intelligence X: Isesha iwebhu emnyama, izinkundla zokwabelana ngamadokhumenti, icubungula idatha ye-Whois, ukuvuza kwedatha yomphakathi neminye imithombo eminingi.

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Uma, ngokusekelwe kwezinye izimpawu (izihloko ze-HTTP, idatha ye-Whois, njll.), bekungenzeka ukunquma ukuthi ukuvikelwa kwesayithi kuhlelwe kusetshenziswa i-Cloudflare, ungaqala ukusesha i-IP yangempela kusuka. uhlu, equkethe cishe amakheli e-IP ayizigidi ezi-3 wamasayithi atholakala ngemuva kwe-Cloudflare.

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Ukusebenzisa isitifiketi se-SSL kanye nesevisi I-Censys ungathola ulwazi oluningi oluwusizo, kuhlanganise nekheli le-IP langempela lesayithi. Ukuze wenze isicelo sensiza yakho, hamba kuthebhu ethi Izitifiketi bese ufaka:

_pased.names: igamaisayithi KANYE namathegi.raw: othembekile

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Ukuze useshele amakheli e-IP wamaseva usebenzisa isitifiketi se-SSL, kuzodingeka ukuthi udlule mathupha ohlwini lokudonsela phansi ngamathuluzi amaningana (ithebhu ethi “Hlola”, bese ukhetha “Abasingathi be-IPv4”).

Indlela 2: DNS

Ukusesha umlando wezinguquko zerekhodi le-DNS kuyindlela endala, efakazelwe. Ikheli le-IP langaphambilini lesayithi lingakwenza kucace ukuthi ikuphi ukusingathwa (noma isikhungo sedatha) ibikusona. Phakathi kwezinsizakalo eziku-inthanethi ngokusebenziseka kalula, okulandelayo kuyagqama: BukaDNS и I-SecurityTrails.

Uma ushintsha izilungiselelo, isayithi ngeke lisebenzise ngokushesha ikheli le-IP lomhlinzeki wokuphepha wamafu noma i-CDN, kodwa lizosebenza ngokuqondile isikhathi esithile. Kulokhu, kungenzeka ukuthi izinsizakalo ze-inthanethi zokugcina umlando wezinguquko zekheli le-IP ziqukethe ulwazi mayelana nekheli lomthombo wesayithi.

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Uma kungekho lutho ngaphandle kwegama leseva ye-DNS endala, bese usebenzisa izinsiza ezikhethekile (dig, host noma nslookup) ungacela ikheli le-IP ngegama lesizinda lesayithi, isibonelo:

_dig @old_dns_server_name igamaisiza

Indlela 3: i-imeyili

Umqondo wendlela ukusebenzisa ifomu lempendulo/lokubhalisa (noma iyiphi enye indlela ekuvumela ukuthi uqale ukuthumela incwadi) ukuze uthole incwadi eya ku-imeyili yakho futhi uhlole izihloko, ikakhulukazi inkambu ethi “Okwamukelwe”. .

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Isihloko se-imeyili ngokuvamile siqukethe ikheli le-IP langempela lerekhodi le-MX (iseva yokushintshanisa i-imeyili), okungaba isiqalo sokuthola amanye amaseva kulokho okuqondiwe.

Sesha Amathuluzi Okuzenzakalela

Isoftware yokusesha ye-IP ngemuva kwesihlangu se-Cloudflare ivamise ukusebenzela imisebenzi emithathu:

  • Skena ukulungisa kabi i-DNS usebenzisa i-DNSDumpster.com;
  • Ukuskena kwedatha ye-Crimeflare.com;
  • sesha izizindana usebenzisa indlela yokusesha isichazamazwi.

Ukuthola izizinda ezingaphansi kwesinye kuvame ukuba yinketho ephumelela kakhulu kokuthathu - umnikazi wesayithi angavikela isayithi eliyinhloko futhi ashiye izizindana zisebenza ngokuqondile. Indlela elula yokuhlola ukusebenzisa CloudFail.

Ngaphezu kwalokho, kukhona izinsiza eziklanyelwe kuphela ukusesha izizindana ezingaphansi kusetshenziswa ukusesha kwesichazamazwi nokusesha emithonjeni evulekile, isibonelo: Uhlu olungezansi3r noma dnsrecon.

Ukusesha kwenzeka kanjani ekusebenzeni

Isibonelo, ake sithathe isayithi seo.com sisebenzisa i-Cloudflare, esizoyithola sisebenzisa isevisi eyaziwayo eyakhelwe (ikuvumela ukuthi nobabili ninqume ubuchwepheshe / izinjini / i-CMS lapho isayithi lisebenza, futhi okuphambene nalokho - ukucinga amasayithi ngobuchwepheshe obusetshenzisiwe).

Uma uchofoza kuthebhu ethi “Sesingathi se-IPv4”, isevisi izobonisa uhlu lwabasingathi kusetshenziswa isitifiketi. Ukuze uthole leli olidingayo, bheka ikheli le-IP elinembobo evulekile 443. Uma iqondisa kabusha kusayithi oyifunayo, umsebenzi usuqediwe, ngaphandle kwalokho udinga ukwengeza igama lesizinda lesizinda kunhlokweni ethi “Host” Isicelo se-HTTP (isibonelo, *curl -H "Host: site_name" *https://IP_адрес).

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Esimweni sethu, ukusesha ku-database ye-Censys akunikanga lutho, ngakho-ke siyaqhubeka.

Sizokwenza usesho lwe-DNS ngesevisi https://securitytrails.com/dns-trails.

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Ngokusesha amakheli ashiwo ohlwini lwamaseva e-DNS kusetshenziswa insiza ye-CloudFail, sithola izinsiza zokusebenza. Umphumela uzobe usulungile emizuzwaneni embalwa.

Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso

Sisebenzisa idatha evuliwe kuphela namathuluzi alula, sinqume ikheli le-IP langempela leseva yewebhu. Okusele komhlaseli kuyindaba yesu.

Masibuyele ekukhetheni umhlinzeki wokusingatha. Ukuze sihlole inzuzo yesevisi yekhasimende, sizocabangela izindlela ezingase zibe khona zokuvikela ekuhlaselweni kwe-DDoS.

Umhlinzeki obambayo wakha kanjani ukuvikela kwakhe

  1. Isistimu yokuvikela ephethe izinto zokuhlunga (Umfanekiso 2).
    Idinga:
    1.1. Impahla yokuhlunga i-traffic namalayisensi esofthiwe;
    1.2. Ochwepheshe besikhathi esigcwele ngokusekelwa nokusebenza kwayo;
    1.3. Iziteshi zokufinyelela ku-inthanethi ezizokwanela ukuthola ukuhlaselwa;
    1.4. Umkhawulokudonsa wesiteshi esikhokhelwa ngaphambili esibalulekile sokuthola ithrafikhi "engcolile".
    Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso
    Umfanekiso 2. Isistimu yokuphepha yomhlinzeki wokusingatha
    Uma sibheka uhlelo oluchazwe njengendlela yokuzivikela ekuhlaselweni kwe-DDoS yesimanje yamakhulu e-Gbps, khona-ke uhlelo olunjalo luzobiza imali eningi. Ingabe umhlinzeki wokusingatha unokuvikela okunjalo? Ingabe ukulungele ukukhokhela ithrafikhi “engcolile”? Ngokusobala, imodeli yezomnotho enjalo ayinanzuzo kumhlinzeki uma amanani entengo engahlinzeki ngezinkokhelo ezengeziwe.
  2. I-Reverse Proxy (yamawebhusayithi nezinye izinhlelo zokusebenza kuphela). Naphezu kwenombolo izinzuzo, umphakeli akaqinisekisi ukuvikeleka ekuhlaselweni okuqondile kwe-DDoS (bheka Umfanekiso 1). Abahlinzeki bokusingatha ngokuvamile banikeza isisombululo esinjalo njenge-panacea, behambisa umthwalo wemfanelo kumhlinzeki wezokuvikela.
  3. Izinsizakalo zomhlinzeki wamafu okhethekile (ukusetshenziswa kwenethiwekhi yayo yokuhlunga) ukuvikela ukuhlaselwa kwe-DDoS kuwo wonke amazinga we-OSI (Umfanekiso 3).
    Ukusingatha ngokuvikeleka okugcwele ekuhlaselweni kwe-DDoS - inganekwane noma iqiniso
    Umfanekiso 3. Ukuvikelwa okuphelele ekuhlaselweni kwe-DDoS kusetshenziswa umhlinzeki okhethekile
    Isixazululo ithatha ukuhlanganiswa okujulile kanye nezinga eliphezulu lekhono lobuchwepheshe lazo zombili izinhlangothi. Ukukhipha izinsiza zokuhlunga ithrafikhi kuvumela umhlinzeki obambe iqhaza ukuthi ehlise intengo yezinsizakalo ezengeziwe zekhasimende.

Kubalulekile! Uma kuchazwa izici zobuchwepheshe zesevisi enikeziwe, makhulu amathuba okuba ufune ukusetshenziswa kwazo noma isinxephezelo uma kwenzeka kungasebenzi.

Ngaphezu kwezindlela ezintathu eziyinhloko, kunezinhlanganisela eziningi nezinhlanganisela. Lapho ukhetha ukusingathwa, kubalulekile ukuthi ikhasimende likhumbule ukuthi isinqumo ngeke sincike kuphela ngobukhulu bokuhlaselwa okuvinjiwe okuqinisekisiwe kanye nokunemba kokuhlunga, kodwa futhi ngesivinini sokuphendula, kanye nokuqukethwe kolwazi (uhlu lokuhlaselwa okuvinjiwe, izibalo ezijwayelekile, njll.).

Khumbula ukuthi abahlinzeki bokusingatha abambalwa kuphela emhlabeni abakwazi ukunikeza ileveli eyamukelekayo yokuvikela ngokwabo; kwezinye izimo, ukubambisana nolwazi lokufunda nokubhala kuyasiza. Ngakho-ke, ukuqonda izimiso eziyisisekelo zokuhlela ukuvikelwa ekuhlaselweni kwe-DDoS kuzovumela umnikazi wesayithi ukuthi angaweli ngamasu okuthengisa futhi angathengi "ingulube esigxotsheni."

Source: www.habr.com

Engeza amazwana