Скачать - Xakep Online
02.01.2015 Views
Share Embed Flag

Скачать - Xakep Online

Скачать - Xakep Online

Скачать - Xakep Online

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
xakep.ru

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

[XÀÊÅÐ 09 [81] 05 > ÂÇËÎÌ 068]<br />

ÿäåðíûå íàñòðîéêè<br />

ôàéðâîëà<br />

ñîáèðàåì ïî÷òîâûå<br />

àäðåñà<br />

Äóìàþ, â ýòîì êîäå òû ñìîæåøü ðàçîáðàòüñÿ è<br />

áåç äîïîëíèòåëüíûõ êîììåíòàðèåâ. Òåì áîëåå,<br />

÷òî ðàáîòó ñöåíàðèÿ ÿ óæå îïèñàë. Ëèìèò ñîåäèíåíèé<br />

â ìîåì ñëó÷àå áûë ðàâíûì ñåìåðêå.<br />

Ïîìèìî îñíîâíîé ôóíêöèè, ñêðèïò âûâîäèò<br />

ñòàòèñòèêó ñîåäèíåíèé, ÷òîáû àäìèíèñòðàòîð<br />

çíàë, êòî â äàííûé ìîìåíò åãî àòàêóåò :).<br />

[èçó÷àåì æóðíàëû] Íî è ýòîò ïðèåì íå äàë<br />

ñòîïðîöåíòíîé çàùèòû îò àòàêè. ×åðåç ïàðó ÷àñîâ<br />

ïîêàçàòåëü íàãðóçêè ðåàëüíî ñíèçèëñÿ íà<br />

40%, ïà÷ ïåðåñòàë òîðìîçèòü, íî âñå ðàâíî<br />

÷óâñòâîâàëîñü, ÷òî àòàêà ïðîäîëæàåòñÿ. Ïðè÷åì,<br />

íàäî îòìåòèòü, ÷òî ñòàíäàðòíûé ôàéðâîë óñïåøíî<br />

ñïðàâëÿëñÿ ñ íàòèñêîì íåïðèÿòåëÿ, ïðîñòî ñóùåñòâîâàëè<br />

êàêèå-òî ñïåöèàëüíûå áîòû, êîòîðûì<br />

óäàâàëîñü îáõîäèòü õèòðîóìíûé ñêðèïò.<br />

È ÿ îáíàðóæèë ýòèõ áîòîâ âñåãî çà íåñêîëüêî<br />

ìèíóò :). Äëÿ ýòîãî ìíå ïðèøëîñü âêëþ÷èòü îïöèþ<br />

verbose â ìîåì ôàéðâîëå ipfw. Ýòî äåëàåòñÿ<br />

ïðîñòîé êîìàíäîé sysctl -w net.inet.ip.fw.verbose=1.<br />

Çàòåì ÿ ñîçäàë íåáîëüøîå ïðàâèëî, îáðàáàòûâàþùåå<br />

âñå ïàêåòû. Äàííûé ðóëåñ äîëæåí<br />

îïåðåæàòü ïî íîìåðó ïðàâèëî, êîòîðîå çàïðåùàåò<br />

âåñü òðàôèê íà ìàøèíó. ß âûáðàë â êà÷åñòâå èäåíòèôèêàòîðà<br />

÷èñëî 50000. Ñàìà êîìàíäà äîáàâëåíèÿ âûãëÿäåëà ñëåäóþùèì îáðàçîì:<br />

ipfw add 50000 count log logamount 0 ip from any to me 80<br />

Òåïåðü ìîæíî áûëî ïðèñòóïèòü ê àíàëèçó ôàéëà /var/log/security. Òóäà<br />

ïî óìîë÷àíèþ, ñòàëè çàïèñûâàòüñÿ âñå îáðàùåíèÿ ê ñåðâåðó íà 80 ïîðò.<br />

Íåìíîãî ïåðåäåëàâ âûøåîïèñàííûé ñöåíàðèé, ÿ ñòàë ïåðå÷èòûâàòü<br />

ôèêñèðîâàííûé ôðàãìåíò ëîãà (êîìàíäîé tail -1000 /var/log/security) è<br />

áðàòü îòòóäà ÷èñëî îáðàùåíèé. Ðåçóëüòàò íå çàñòàâèë ñåáÿ äîëãî æäàòü<br />

— âñåãî ïîñëå 2-3 çàïóñêîâ íàãðóçêà íà ñåðâåð âíîâü óïàëà.<br />

Íî ïîäîáíûì ìåòîäîì íåëüçÿ áûëî çàùèòèòüñÿ íà âñå 100%, ïîòîìó êàê<br />

çà âðåìÿ ñâîåé ðàáîòû ñêðèïò óæå óñïåë çàáàíèòü 20–30 ëåãàëüíûõ ïîñåòèòåëåé<br />

ðåñóðñà :). Ýòî îáúÿñíÿåòñÿ òåì, ÷òî îáû÷íûé ïîëüçîâàòåëü<br />

ïðè îïðåäåëåííûõ óñëîâèÿõ âïîëíå ìîæåò ïðåâûñèòü ìîé ëèìèò îáðàùåíèé<br />

(ïðè îáíîâëåíèè ñòðàíèöû èëè ïðè ñëàáîì êàíàëå).<br />

Âûøåîïèñàííîé çàùèòîé ÿ ïîëüçîâàëñÿ òðè äíÿ. Çà ýòî âðåìÿ, êàê ÿ óæå ãîâîðèë,<br />

â áàíå ôàéðâîëà íàêîïèëîñü ïîðÿäêà ñîòíè äîáðîïîðÿäî÷íûõ ïîëüçîâàòåëåé.<br />

Çàïóñêàòü ñöåíàðèé ïðèõîäèëîñü òðè-÷åòûðå ðàçà â äåíü. Ïîäîáíàÿ<br />

çàùèòà, íåñîìíåííî, äåéñòâîâàëà, íî äîâåðÿòü åé íà âñå ñòî ïðîöåíòîâ<br />

áûëî íåëüçÿ. Ïîýòîìó ÿ ðåøèë ðàçðàáîòàòü íîâûé âàðèàíò ïðîòåêòà ïðîòèâ<br />

DDoS-àòàêè.  ýòîì ìíå î÷åíü ïîìîãëà ñèñòåìà æóðíàëèðîâàíèÿ Apache.<br />

Ìíå çàõîòåëîñü ïîñìîòðåòü íà çàïðîñû, êîòîðûå áîòû ïîñûëàþò WWWñåðâåðó.<br />

Êàê îêàçàëîñü ïðàêòè÷åñêè âñå ðåêâåñòû áûëè îäèíàêîâûìè è íåîòëè÷èìûìè<br />

îò ïîëüçîâàòåëüñêèõ. Íà ïåðâûé âçãëÿä â çàïðîñå ôèãóðèðîâàë<br />

Referer, ïðàâèëüíî îôîðìëåííîå îáðàùåíèå íà ðàíäîìíóþ, íî ñóùåñòâóþùóþ<br />

ñòðàíèöó, è ðåàëüíûé UserAgent. Îäíàêî ïîñëåäíåå ïîëå çàñòàâèëî<br />

ìåíÿ óñîìíèòüñÿ â ïðàâèëüíîñòè çàïðîñà. Â áîëüøèíñòâå çàëîãèðîâàííûõ<br />

ñòðîê, UserAgent èìåë ïðåôèêñ Win 98.x. Âèäèìî, ýòî è áûëà åäèíñòâåííàÿ<br />

îòëè÷èòåëüíàÿ ÷åðòà îáû÷íûõ ðåêâåñòîâ îò âðàæåñêèõ.  ìîåé ãîëîâå<br />

óæå ðîäèëñÿ ïëàí íîâîé çàùèòû ñåðâåðà îò áîòîâ. È óæå ÷åðåç 15 ìèíóò<br />

ÿ åãî ðåàëèçîâàë â âèäå êîìïàêòíîãî Perl-ñöåíàðèÿ. Ãðåõ íå ïðèâåñòè<br />

åãî èñõîäíûé êîä, ïîòîìó êàê ìíîãèì àäìèíèñòðàòîðàì îí ïðèãîäèòñÿ.<br />

[perl-ñêðèïò, ñïàñàþùèé îò DDoS]<br />

#!/usr/bin/perl<br />

$num=`cat /var/log/rule`; # Â ýòîì ôàéëå õðàíèòñÿ íîìåð ïðàâèëà<br />

chomp $num;<br />

$cmd='tail -1000 /usr/local/apache/logs/access.log|grep Win 9x 4.|cut -f1<br />

-d |sort -u'; # Âûãðåáàåì ïîñëåäíèå 1000 çàïèñåé ñ øàáëîíîì, âûðåçàåì<br />

èç íåå IP-àäðåñ è óáèâàåì äóáëèêàòû<br />

@cmd=`$cmd`;<br />

chomp @cmd;<br />

foreach $each (@cmd) {<br />

chomp $each;<br />

$rule=0;<br />

chomp $rule;<br />

open(DB,"/var/log/niggerz");<br />

while() {<br />

if (/$each/) { $rule=1; break } # Åñëè àäðåñ óæå åñòü â áàçå — çàâåðøàåì ðàáîòó<br />

}<br />

close(DB);<br />

unless ($rule) {<br />

system("/sbin/ipfw add $num deny ip from $each to me 80"); # Â ïðîòèâíîì<br />

ñëó÷àå — çàíîñèì IP â áëýê-ëèñò<br />

open(LOG,">>/var/log/dos.log");<br />

print LOG "banned ip $each as rules $num\n";<br />

close(LOG);<br />

open(DB,">>/var/log/niggerz");<br />

print DB "$each\n"; # È äîáàâëÿåì çàïèñü â ëîã è â áàçó íèããåðîâ :).<br />

close(DB);<br />

$num++;<br />

}}<br />

`echo $num > /var/log/rule`; # Îáíîâëÿåì íîìåð ïðàâèëà<br />

Ýòîò ñöåíàðèé ïàðñèò æóðíàë íà ïðåäìåò îòëè÷èòåëüíûõ çàïðîñîâ, âûäåëÿåò<br />

èç íèõ ip-àäðåñ, à çàòåì èùåò àíàëîãè÷íûé àéïèøíèê â ñïåöèàëüíîé áàçå.<br />

Åñëè àäðåñ íå íàéäåí, çíà÷èò, åãî íåò â ïðàâèëàõ ipfw, ñëåäîâàòåëüíî, îí<br />

òàì íåçàìåäëèòåëüíî ïîÿâëÿåòñÿ :).  ïðîòèâíîì ñëó÷àå, ip áîòà óæå áûë çàáàíåí,<br />

ïîýòîìó ñöåíàðèé íå çàñîðÿåò ôàéðâîë ïîâòîðíûì ïðàâèëîì.<br />

Ñêðèïò antiddos.pl çàïóñêàåòñÿ ÷åðåç crontab êàæäóþ ìèíóòó. Ýòîãî âïîëíå<br />

õâàòàåò, ÷òîáû îòðàçèòü àòàêó 2–3 òûñÿ÷ áîòîâ, êàê áûëî â ìîåì ñëó÷àå. Åäèíñòâåííûé<br />

ìèíóñ â ðàáîòå ñöåíàðèÿ çàêëþ÷àåòñÿ â òîì, ÷òî îí íå ìîæåò áûñòðî<br />

âîññòàíîâèòü ðàáîòîñïîñîáíîñòü ñåðâåðà. Èíûìè ñëîâàìè, ïðè èçëèøíå<br />

àêòèâíîé àòàêå (20–30 çàïðîñîâ â îäèí ìîìåíò âðåìåíè), ñåðâåð âñå ðàâíî<br />

óõîäèò â àíàáèîçíîå ñîñòîÿíèå, íî âîçâðàùàåòñÿ èç íåãî ÷åðåç 3–4 ìèíóòû :).<br />

[àäìèí ñïèò, àòàêà èäåò] Åñëè òû äóìàåøü, ÷òî ÿ ïîñòàâèë ñöåíàðèé<br />

è çàáûë î áîòàõ, òî îøèáàåøüñÿ :). Íåñìîòðÿ íà òî, ÷òî çà òðàôèê ÿ íå<br />

ïëàòèë (à áîòû íàãîíÿëè â äåíü îêîëî 500 ìåãàáàéò ìóñîðà), ÿ çàõîòåë<br />

ñïðàâåäëèâîñòè. Ïîýòîìó ìîåé çàäà÷åé áûëî îòïèñàòü â abuse âñåì network-àäìèíèñòðàòîðàì<br />

òåõ ñåòåé, íà êîòîðûõ êðóòèëèñü áîòû, òåì ñàìûì<br />

ðàçðóøèâ áîòíåò.  òå÷åíèå ÷àñà ñ ïîìîùüþ êîìàíäû whois, bash-åâûõ<br />

ñðåäñòâ àâòîìàòèçàöèè è êàêîé-òî ìàòåðè :), ÿ ñîáðàë ïî÷òîâûå àäðåñà<br />

íà 90% áîòîâ. Ìîÿ çàäà÷à óïðîùàëàñü òåì, ÷òî â áîëüøèíñòâå ñëó÷àÿõ<br />

àòàêà âåëàñü èç îäíîé ïîäñåòè. Òàêèì îáðàçîì, ìíå ïîíàäîáèëîñü íàïèñàòü<br />

âñåãî 400 æàëîá, ÷òîáû ñîîáùèòü îáî âñåõ óÿçâèìûõ ìàøèíàõ. Çàäà÷à<br />

áûëà âûïîëíåíà âñåãî çà òðè ÷àñà, è óæå ÷åðåç äåíü ÿ ïîëó÷èë äîáðóþ<br />

ïîëîâèíó îòâåòîâ îò àäìèíîâ, êîòîðûå îáåùàëè îáåçâðåäèòü çàðàçíóþ<br />

ìàøèíó. Âñåãî ÷åðåç íåäåëþ ïîòîê ôëóäà íà ìîé ñåðâåð ïîëíîñòüþ<br />

ïðåêðàòèëñÿ. Âèäèìî, áîòìàñòåð ïîíÿë, ÷òî ñî ìíîé îïàñíî èìåòü äåëî,<br />

èëè çàêàç÷èê ôëóäà ïåðåñòàë ïëàòèòü äåíüãè çà àòàêó.  ëþáîì ñëó÷àå,<br />

ÿ îäåðæàë ïîáåäó íàä çëîäåÿìè, ÷åìó äî ñèõ ïîð î÷åíü ðàä.<br />

Ìîðàëü áàñíè òàêîâà: äàæå åñëè òåáÿ àòàêóþò íåñêîëüêî òûñÿ÷ áîòîâ, à<br />

âûøåñòîÿùèé ïðîâàéäåð îòêàçûâàåòñÿ ïîìîãàòü, äåéñòâóé ñàìîñòîÿòåëüíî.<br />

 ñòàòüå ÿ ïðèâåë íåñêîëüêî ãîòîâûõ ðåøåíèé ïî çàùèòå îò ñàìûõ<br />

îïàñíûõ àòàê, òâîÿ çàäà÷à — âûáðàòü îïòèìàëüíûé âàðèàíò. Åñëè<br />

òû ïëàòèøü çà òðàôèê è íå îäèí âàðèàíò òåáÿ íå óñòðàèâàåò, ïîïðîáóé<br />

ñìåíèòü äàòàöåíòð íà áîëåå äðóæåëþáíûé, ãäå çàáîòÿòñÿ î êàæäîì êëèåíòå,<br />

èëè õîòÿ áû íå áåðóò äåíüãè çà òðàôèê :)<br />

ÊÎÌÏÅÒÅÍÒÍÎÅ ÌÍÅÍÈÅ<br />

Áîëüøèíñòâî DDoS-àòàê áàçèðóåòñÿ íà îñîáåííîñòÿõ ðàáîòû<br />

ïðîòîêîëà TCP/IP, â ÷àñòíîñòè, íà ñïîñîáå îáðàáîòêè<br />

âõîäÿùèõ ïàêåòîâ ñ ôëàãîì SYN. Ýòè àòàêè äîñòàòî÷íî<br />

ñëîæíî ïðåäîòâðàòèòü, îñîáåííî, åñëè ñèñòåìà ïîäðàçóìåâàåò<br />

îáùåäîñòóïíûå âõîäÿùèå ñîåäèíåíèÿ. Òàêæå îñëîæíÿåò<br />

áîðüáó ñ òàêèìè àòàêàìè òîò ôàêò, ÷òî îíè, êàê<br />

ïðàâèëî, ïðîâîäÿòñÿ ñî ìíîæåñòâà àäðåñîâ, çà÷àñòóþ íàõîäÿùèõñÿ<br />

â ðàçíûõ ñåãìåíòàõ Ñåòè è ïðèíàäëåæàùèõ<br />

ðàçíûì îïåðàòîðàì ñâÿçè. Ïîýòîìó êàêîãî-òî ñòîïðîöåíòíîãî<br />

ñïîñîáà áîðüáû ñ íàïàäåíèÿìè ïîïðîñòó íå ñóùåñòâóåò.<br />

Íà äàííûé ìîìåíò ñàìîå äåéñòâåííîå ñðåäñòâî<br />

áîðüáû ñ ýòèì òèïîì àòàê — ýòî êîíòðîëü ñî ñòîðîíû îïåðàòîðà<br />

ñâÿçè, êîòîðûé äîëæåí îáåñïå÷èâàòü èõ áûñòðîå<br />

îáíàðóæåíèå è áëîêèðîâàíèå ýòîãî òðàôèêà íà âõîäå â<br />

ñâîé ñåãìåíò ñåòè. Îïåðàòîðû ñâÿçè ïûòàþòñÿ ïðåäîòâðàùàòü<br />

ïîäîáíûå àòàêè ïóòåì óñòàíîâêè ôèëüòðîâ, êîòîðûå<br />

îòñåêàþò òàêîé òðàôèê â àâòîìàòè÷åñêîì ðåæèìå. Îñîáåííî<br />

ýòà ïðàêòèêà ðàñïðîñòðàíåíà ó çàðóáåæíûõ îïåðàòîðîâ<br />

ñâÿçè. Ïðè÷åì çà÷àñòóþ îò äåéñòâèÿ òàêèõ ôèëüòðîâ<br />

ñòðàäàþò îáû÷íûå ïîëüçîâàòåëè, òàê êàê äîñòàòî÷íî<br />

ñëîæíî îòëè÷èòü òðàôèê DDoS-àòàêè îò íåêîåãî ïðèëîæåíèÿ,<br />

óñòàíàâëèâàþùåãî îäíîâðåìåííî íåñêîëüêî ñîåäèíåíèé<br />

ñ êàêèì-ëèáî óçëîì. Êðàñíîâ Àëåêñåé. Ñèñòåìíûé àäìèíèñòðàòîð<br />

êîìïàíèè Ìåäèàòåë (www.mediatel.ru)

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!