áúðчðть - Xakep Online
áúðчðть - Xakep Online
áúðчðть - Xakep Online
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
[XÀÊÅÐ 09 [81] 05 > ÂÇËÎÌ 068]<br />
ÿäåðíûå íàñòðîéêè<br />
ôàéðâîëà<br />
ñîáèðàåì ïî÷òîâûå<br />
àäðåñà<br />
Äóìàþ, â ýòîì êîäå òû ñìîæåøü ðàçîáðàòüñÿ è<br />
áåç äîïîëíèòåëüíûõ êîììåíòàðèåâ. Òåì áîëåå,<br />
÷òî ðàáîòó ñöåíàðèÿ ÿ óæå îïèñàë. Ëèìèò ñîåäèíåíèé<br />
â ìîåì ñëó÷àå áûë ðàâíûì ñåìåðêå.<br />
Ïîìèìî îñíîâíîé ôóíêöèè, ñêðèïò âûâîäèò<br />
ñòàòèñòèêó ñîåäèíåíèé, ÷òîáû àäìèíèñòðàòîð<br />
çíàë, êòî â äàííûé ìîìåíò åãî àòàêóåò :).<br />
[èçó÷àåì æóðíàëû] Íî è ýòîò ïðèåì íå äàë<br />
ñòîïðîöåíòíîé çàùèòû îò àòàêè. ×åðåç ïàðó ÷àñîâ<br />
ïîêàçàòåëü íàãðóçêè ðåàëüíî ñíèçèëñÿ íà<br />
40%, ïà÷ ïåðåñòàë òîðìîçèòü, íî âñå ðàâíî<br />
÷óâñòâîâàëîñü, ÷òî àòàêà ïðîäîëæàåòñÿ. Ïðè÷åì,<br />
íàäî îòìåòèòü, ÷òî ñòàíäàðòíûé ôàéðâîë óñïåøíî<br />
ñïðàâëÿëñÿ ñ íàòèñêîì íåïðèÿòåëÿ, ïðîñòî ñóùåñòâîâàëè<br />
êàêèå-òî ñïåöèàëüíûå áîòû, êîòîðûì<br />
óäàâàëîñü îáõîäèòü õèòðîóìíûé ñêðèïò.<br />
È ÿ îáíàðóæèë ýòèõ áîòîâ âñåãî çà íåñêîëüêî<br />
ìèíóò :). Äëÿ ýòîãî ìíå ïðèøëîñü âêëþ÷èòü îïöèþ<br />
verbose â ìîåì ôàéðâîëå ipfw. Ýòî äåëàåòñÿ<br />
ïðîñòîé êîìàíäîé sysctl -w net.inet.ip.fw.verbose=1.<br />
Çàòåì ÿ ñîçäàë íåáîëüøîå ïðàâèëî, îáðàáàòûâàþùåå<br />
âñå ïàêåòû. Äàííûé ðóëåñ äîëæåí<br />
îïåðåæàòü ïî íîìåðó ïðàâèëî, êîòîðîå çàïðåùàåò<br />
âåñü òðàôèê íà ìàøèíó. ß âûáðàë â êà÷åñòâå èäåíòèôèêàòîðà<br />
÷èñëî 50000. Ñàìà êîìàíäà äîáàâëåíèÿ âûãëÿäåëà ñëåäóþùèì îáðàçîì:<br />
ipfw add 50000 count log logamount 0 ip from any to me 80<br />
Òåïåðü ìîæíî áûëî ïðèñòóïèòü ê àíàëèçó ôàéëà /var/log/security. Òóäà<br />
ïî óìîë÷àíèþ, ñòàëè çàïèñûâàòüñÿ âñå îáðàùåíèÿ ê ñåðâåðó íà 80 ïîðò.<br />
Íåìíîãî ïåðåäåëàâ âûøåîïèñàííûé ñöåíàðèé, ÿ ñòàë ïåðå÷èòûâàòü<br />
ôèêñèðîâàííûé ôðàãìåíò ëîãà (êîìàíäîé tail -1000 /var/log/security) è<br />
áðàòü îòòóäà ÷èñëî îáðàùåíèé. Ðåçóëüòàò íå çàñòàâèë ñåáÿ äîëãî æäàòü<br />
— âñåãî ïîñëå 2-3 çàïóñêîâ íàãðóçêà íà ñåðâåð âíîâü óïàëà.<br />
Íî ïîäîáíûì ìåòîäîì íåëüçÿ áûëî çàùèòèòüñÿ íà âñå 100%, ïîòîìó êàê<br />
çà âðåìÿ ñâîåé ðàáîòû ñêðèïò óæå óñïåë çàáàíèòü 20–30 ëåãàëüíûõ ïîñåòèòåëåé<br />
ðåñóðñà :). Ýòî îáúÿñíÿåòñÿ òåì, ÷òî îáû÷íûé ïîëüçîâàòåëü<br />
ïðè îïðåäåëåííûõ óñëîâèÿõ âïîëíå ìîæåò ïðåâûñèòü ìîé ëèìèò îáðàùåíèé<br />
(ïðè îáíîâëåíèè ñòðàíèöû èëè ïðè ñëàáîì êàíàëå).<br />
Âûøåîïèñàííîé çàùèòîé ÿ ïîëüçîâàëñÿ òðè äíÿ. Çà ýòî âðåìÿ, êàê ÿ óæå ãîâîðèë,<br />
â áàíå ôàéðâîëà íàêîïèëîñü ïîðÿäêà ñîòíè äîáðîïîðÿäî÷íûõ ïîëüçîâàòåëåé.<br />
Çàïóñêàòü ñöåíàðèé ïðèõîäèëîñü òðè-÷åòûðå ðàçà â äåíü. Ïîäîáíàÿ<br />
çàùèòà, íåñîìíåííî, äåéñòâîâàëà, íî äîâåðÿòü åé íà âñå ñòî ïðîöåíòîâ<br />
áûëî íåëüçÿ. Ïîýòîìó ÿ ðåøèë ðàçðàáîòàòü íîâûé âàðèàíò ïðîòåêòà ïðîòèâ<br />
DDoS-àòàêè.  ýòîì ìíå î÷åíü ïîìîãëà ñèñòåìà æóðíàëèðîâàíèÿ Apache.<br />
Ìíå çàõîòåëîñü ïîñìîòðåòü íà çàïðîñû, êîòîðûå áîòû ïîñûëàþò WWWñåðâåðó.<br />
Êàê îêàçàëîñü ïðàêòè÷åñêè âñå ðåêâåñòû áûëè îäèíàêîâûìè è íåîòëè÷èìûìè<br />
îò ïîëüçîâàòåëüñêèõ. Íà ïåðâûé âçãëÿä â çàïðîñå ôèãóðèðîâàë<br />
Referer, ïðàâèëüíî îôîðìëåííîå îáðàùåíèå íà ðàíäîìíóþ, íî ñóùåñòâóþùóþ<br />
ñòðàíèöó, è ðåàëüíûé UserAgent. Îäíàêî ïîñëåäíåå ïîëå çàñòàâèëî<br />
ìåíÿ óñîìíèòüñÿ â ïðàâèëüíîñòè çàïðîñà. Â áîëüøèíñòâå çàëîãèðîâàííûõ<br />
ñòðîê, UserAgent èìåë ïðåôèêñ Win 98.x. Âèäèìî, ýòî è áûëà åäèíñòâåííàÿ<br />
îòëè÷èòåëüíàÿ ÷åðòà îáû÷íûõ ðåêâåñòîâ îò âðàæåñêèõ.  ìîåé ãîëîâå<br />
óæå ðîäèëñÿ ïëàí íîâîé çàùèòû ñåðâåðà îò áîòîâ. È óæå ÷åðåç 15 ìèíóò<br />
ÿ åãî ðåàëèçîâàë â âèäå êîìïàêòíîãî Perl-ñöåíàðèÿ. Ãðåõ íå ïðèâåñòè<br />
åãî èñõîäíûé êîä, ïîòîìó êàê ìíîãèì àäìèíèñòðàòîðàì îí ïðèãîäèòñÿ.<br />
[perl-ñêðèïò, ñïàñàþùèé îò DDoS]<br />
#!/usr/bin/perl<br />
$num=`cat /var/log/rule`; # Â ýòîì ôàéëå õðàíèòñÿ íîìåð ïðàâèëà<br />
chomp $num;<br />
$cmd='tail -1000 /usr/local/apache/logs/access.log|grep Win 9x 4.|cut -f1<br />
-d |sort -u'; # Âûãðåáàåì ïîñëåäíèå 1000 çàïèñåé ñ øàáëîíîì, âûðåçàåì<br />
èç íåå IP-àäðåñ è óáèâàåì äóáëèêàòû<br />
@cmd=`$cmd`;<br />
chomp @cmd;<br />
foreach $each (@cmd) {<br />
chomp $each;<br />
$rule=0;<br />
chomp $rule;<br />
open(DB,"/var/log/niggerz");<br />
while() {<br />
if (/$each/) { $rule=1; break } # Åñëè àäðåñ óæå åñòü â áàçå — çàâåðøàåì ðàáîòó<br />
}<br />
close(DB);<br />
unless ($rule) {<br />
system("/sbin/ipfw add $num deny ip from $each to me 80"); # Â ïðîòèâíîì<br />
ñëó÷àå — çàíîñèì IP â áëýê-ëèñò<br />
open(LOG,">>/var/log/dos.log");<br />
print LOG "banned ip $each as rules $num\n";<br />
close(LOG);<br />
open(DB,">>/var/log/niggerz");<br />
print DB "$each\n"; # È äîáàâëÿåì çàïèñü â ëîã è â áàçó íèããåðîâ :).<br />
close(DB);<br />
$num++;<br />
}}<br />
`echo $num > /var/log/rule`; # Îáíîâëÿåì íîìåð ïðàâèëà<br />
Ýòîò ñöåíàðèé ïàðñèò æóðíàë íà ïðåäìåò îòëè÷èòåëüíûõ çàïðîñîâ, âûäåëÿåò<br />
èç íèõ ip-àäðåñ, à çàòåì èùåò àíàëîãè÷íûé àéïèøíèê â ñïåöèàëüíîé áàçå.<br />
Åñëè àäðåñ íå íàéäåí, çíà÷èò, åãî íåò â ïðàâèëàõ ipfw, ñëåäîâàòåëüíî, îí<br />
òàì íåçàìåäëèòåëüíî ïîÿâëÿåòñÿ :).  ïðîòèâíîì ñëó÷àå, ip áîòà óæå áûë çàáàíåí,<br />
ïîýòîìó ñöåíàðèé íå çàñîðÿåò ôàéðâîë ïîâòîðíûì ïðàâèëîì.<br />
Ñêðèïò antiddos.pl çàïóñêàåòñÿ ÷åðåç crontab êàæäóþ ìèíóòó. Ýòîãî âïîëíå<br />
õâàòàåò, ÷òîáû îòðàçèòü àòàêó 2–3 òûñÿ÷ áîòîâ, êàê áûëî â ìîåì ñëó÷àå. Åäèíñòâåííûé<br />
ìèíóñ â ðàáîòå ñöåíàðèÿ çàêëþ÷àåòñÿ â òîì, ÷òî îí íå ìîæåò áûñòðî<br />
âîññòàíîâèòü ðàáîòîñïîñîáíîñòü ñåðâåðà. Èíûìè ñëîâàìè, ïðè èçëèøíå<br />
àêòèâíîé àòàêå (20–30 çàïðîñîâ â îäèí ìîìåíò âðåìåíè), ñåðâåð âñå ðàâíî<br />
óõîäèò â àíàáèîçíîå ñîñòîÿíèå, íî âîçâðàùàåòñÿ èç íåãî ÷åðåç 3–4 ìèíóòû :).<br />
[àäìèí ñïèò, àòàêà èäåò] Åñëè òû äóìàåøü, ÷òî ÿ ïîñòàâèë ñöåíàðèé<br />
è çàáûë î áîòàõ, òî îøèáàåøüñÿ :). Íåñìîòðÿ íà òî, ÷òî çà òðàôèê ÿ íå<br />
ïëàòèë (à áîòû íàãîíÿëè â äåíü îêîëî 500 ìåãàáàéò ìóñîðà), ÿ çàõîòåë<br />
ñïðàâåäëèâîñòè. Ïîýòîìó ìîåé çàäà÷åé áûëî îòïèñàòü â abuse âñåì network-àäìèíèñòðàòîðàì<br />
òåõ ñåòåé, íà êîòîðûõ êðóòèëèñü áîòû, òåì ñàìûì<br />
ðàçðóøèâ áîòíåò.  òå÷åíèå ÷àñà ñ ïîìîùüþ êîìàíäû whois, bash-åâûõ<br />
ñðåäñòâ àâòîìàòèçàöèè è êàêîé-òî ìàòåðè :), ÿ ñîáðàë ïî÷òîâûå àäðåñà<br />
íà 90% áîòîâ. Ìîÿ çàäà÷à óïðîùàëàñü òåì, ÷òî â áîëüøèíñòâå ñëó÷àÿõ<br />
àòàêà âåëàñü èç îäíîé ïîäñåòè. Òàêèì îáðàçîì, ìíå ïîíàäîáèëîñü íàïèñàòü<br />
âñåãî 400 æàëîá, ÷òîáû ñîîáùèòü îáî âñåõ óÿçâèìûõ ìàøèíàõ. Çàäà÷à<br />
áûëà âûïîëíåíà âñåãî çà òðè ÷àñà, è óæå ÷åðåç äåíü ÿ ïîëó÷èë äîáðóþ<br />
ïîëîâèíó îòâåòîâ îò àäìèíîâ, êîòîðûå îáåùàëè îáåçâðåäèòü çàðàçíóþ<br />
ìàøèíó. Âñåãî ÷åðåç íåäåëþ ïîòîê ôëóäà íà ìîé ñåðâåð ïîëíîñòüþ<br />
ïðåêðàòèëñÿ. Âèäèìî, áîòìàñòåð ïîíÿë, ÷òî ñî ìíîé îïàñíî èìåòü äåëî,<br />
èëè çàêàç÷èê ôëóäà ïåðåñòàë ïëàòèòü äåíüãè çà àòàêó.  ëþáîì ñëó÷àå,<br />
ÿ îäåðæàë ïîáåäó íàä çëîäåÿìè, ÷åìó äî ñèõ ïîð î÷åíü ðàä.<br />
Ìîðàëü áàñíè òàêîâà: äàæå åñëè òåáÿ àòàêóþò íåñêîëüêî òûñÿ÷ áîòîâ, à<br />
âûøåñòîÿùèé ïðîâàéäåð îòêàçûâàåòñÿ ïîìîãàòü, äåéñòâóé ñàìîñòîÿòåëüíî.<br />
 ñòàòüå ÿ ïðèâåë íåñêîëüêî ãîòîâûõ ðåøåíèé ïî çàùèòå îò ñàìûõ<br />
îïàñíûõ àòàê, òâîÿ çàäà÷à — âûáðàòü îïòèìàëüíûé âàðèàíò. Åñëè<br />
òû ïëàòèøü çà òðàôèê è íå îäèí âàðèàíò òåáÿ íå óñòðàèâàåò, ïîïðîáóé<br />
ñìåíèòü äàòàöåíòð íà áîëåå äðóæåëþáíûé, ãäå çàáîòÿòñÿ î êàæäîì êëèåíòå,<br />
èëè õîòÿ áû íå áåðóò äåíüãè çà òðàôèê :)<br />
ÊÎÌÏÅÒÅÍÒÍÎÅ ÌÍÅÍÈÅ<br />
Áîëüøèíñòâî DDoS-àòàê áàçèðóåòñÿ íà îñîáåííîñòÿõ ðàáîòû<br />
ïðîòîêîëà TCP/IP, â ÷àñòíîñòè, íà ñïîñîáå îáðàáîòêè<br />
âõîäÿùèõ ïàêåòîâ ñ ôëàãîì SYN. Ýòè àòàêè äîñòàòî÷íî<br />
ñëîæíî ïðåäîòâðàòèòü, îñîáåííî, åñëè ñèñòåìà ïîäðàçóìåâàåò<br />
îáùåäîñòóïíûå âõîäÿùèå ñîåäèíåíèÿ. Òàêæå îñëîæíÿåò<br />
áîðüáó ñ òàêèìè àòàêàìè òîò ôàêò, ÷òî îíè, êàê<br />
ïðàâèëî, ïðîâîäÿòñÿ ñî ìíîæåñòâà àäðåñîâ, çà÷àñòóþ íàõîäÿùèõñÿ<br />
â ðàçíûõ ñåãìåíòàõ Ñåòè è ïðèíàäëåæàùèõ<br />
ðàçíûì îïåðàòîðàì ñâÿçè. Ïîýòîìó êàêîãî-òî ñòîïðîöåíòíîãî<br />
ñïîñîáà áîðüáû ñ íàïàäåíèÿìè ïîïðîñòó íå ñóùåñòâóåò.<br />
Íà äàííûé ìîìåíò ñàìîå äåéñòâåííîå ñðåäñòâî<br />
áîðüáû ñ ýòèì òèïîì àòàê — ýòî êîíòðîëü ñî ñòîðîíû îïåðàòîðà<br />
ñâÿçè, êîòîðûé äîëæåí îáåñïå÷èâàòü èõ áûñòðîå<br />
îáíàðóæåíèå è áëîêèðîâàíèå ýòîãî òðàôèêà íà âõîäå â<br />
ñâîé ñåãìåíò ñåòè. Îïåðàòîðû ñâÿçè ïûòàþòñÿ ïðåäîòâðàùàòü<br />
ïîäîáíûå àòàêè ïóòåì óñòàíîâêè ôèëüòðîâ, êîòîðûå<br />
îòñåêàþò òàêîé òðàôèê â àâòîìàòè÷åñêîì ðåæèìå. Îñîáåííî<br />
ýòà ïðàêòèêà ðàñïðîñòðàíåíà ó çàðóáåæíûõ îïåðàòîðîâ<br />
ñâÿçè. Ïðè÷åì çà÷àñòóþ îò äåéñòâèÿ òàêèõ ôèëüòðîâ<br />
ñòðàäàþò îáû÷íûå ïîëüçîâàòåëè, òàê êàê äîñòàòî÷íî<br />
ñëîæíî îòëè÷èòü òðàôèê DDoS-àòàêè îò íåêîåãî ïðèëîæåíèÿ,<br />
óñòàíàâëèâàþùåãî îäíîâðåìåííî íåñêîëüêî ñîåäèíåíèé<br />
ñ êàêèì-ëèáî óçëîì. Êðàñíîâ Àëåêñåé. Ñèñòåìíûé àäìèíèñòðàòîð<br />
êîìïàíèè Ìåäèàòåë (www.mediatel.ru)