{"id":25874,"date":"2020-03-26T09:52:28","date_gmt":"2020-03-26T08:52:28","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=25874"},"modified":"2020-04-06T09:57:32","modified_gmt":"2020-04-06T07:57:32","slug":"jak-jsme-zaspali-nejsilnejsi-ddos-utok-ktery-na-nas-kdy-sel-a-nikdo-si-toho-nevsiml","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/jak-jsme-zaspali-nejsilnejsi-ddos-utok-ktery-na-nas-kdy-sel-a-nikdo-si-toho-nevsiml","title":{"rendered":"Jak jsme „zaspali“ nejsiln\u011bj\u0161\u00ed DDoS \u00fatok, kter\u00fd na n\u00e1s kdy \u0161el a nikdo si toho nev\u0161iml"},"content":{"rendered":"

Zrovna p\u0159ed t\u00fddnem jsem se pochlubili na soci\u00e1ln\u00edch s\u00edt\u00edch, jak na n\u00e1s po dlouh\u00e9 dob\u011b \u0161el zase jeden v\u011bt\u0161\u00ed DDoS \u00fatok (p\u0159enosy se vy\u0161plhaly na 32 Gbps p\u0159i 5ti minutov\u00fdch pr\u016fm\u011brech). No a m\u00e1lem jsem „zaspali“ rekordmana. Respektive zaspali, proto\u017ee jsme si toho ani nev\u0161imli.<\/p>\n

<\/p>\n

Velmi siln\u00fdm \u00fatok\u016fm jsme \u010delili u\u017e d\u0159\u00edve, ale teprve p\u0159echodem na 100 Gbps linky je dok\u00e1\u017eeme i p\u0159esn\u011b m\u011b\u0159it. Aktu\u00e1ln\u011b m\u00e1me konektivitu na Hlubokou 3 trasy a ka\u017ed\u00e1 100 Gbps a tak m\u00e1me 3x 100Gbps do internetu (p\u0159es dal\u0161\u00ed poskytovatele) je\u0161t\u011b v\u00edc. 23. b\u0159ezna ve\u010der za\u010dal nejsiln\u011bj\u0161\u00ed zaznamenan\u00fd DDoS \u00fatok. B\u011bhem okam\u017eiku vysko\u010dily p\u0159enosy p\u0159es 38 Gbps (5 ti minutov\u00fd pr\u016fm\u011br).<\/p>\n

\"\"<\/a><\/p>\n

A co se d\u011blo u n\u00e1s? DDoS ochrana vyhodnotila data ze senzor\u016f v \u0159\u00e1dech jednotek vte\u0159in (tato doba je od 1,5 – 3,5 vte\u0159iny) a za\u010dala situaci \u0159e\u0161it jako ka\u017ed\u00fd b\u011b\u017en\u00fd DDoS \u00fatok, kter\u00fdch na n\u00e1s chod\u00ed denn\u011b i stovky. Spustila v\u00fdhybku a za\u010dala probl\u00e9mov\u00fd provoz filtrovat.<\/p>\n

Z\u00e1kaznick\u00e1 podpora radila s administrac\u00ed, odpov\u00eddala na dotazy na komunitn\u00edm webu<\/a> a technici dod\u011bl\u00e1vali posledn\u00ed resty. Nikde \u017e\u00e1dn\u00fd v\u00fdkyv, nikdo si nest\u011b\u017eoval, prost\u011b jakoby se nic ned\u011blo.<\/p>\n

Teprve dal\u0161\u00ed den si technik p\u0159i rutinn\u00ed kontrole provozu DDoS ochrany v\u0161iml „celkem siln\u00e9ho“ \u00fatoku. Mezit\u00edm p\u0159i\u0161lo pouze jedno upozorn\u011bn\u00ed prost\u0159ednictv\u00edm SMS a mailu, \u017ee prob\u00edh\u00e1 siln\u00fd \u00fatok.<\/p>\n

Kdy\u017e se \u00fato\u010d\u00ed silou a\u017e 44,5 Gbps<\/h3>\n

V\u0161echny \u00fatoky nad 10 Gbps chod\u00ed technik\u016fm SMSkou, tak\u017ee nen\u00ed \u00fapln\u011b pravda, \u017ee by o tomto nikdo v\u016fbec nev\u011bd\u011bl. Ov\u0161em v SMSce u\u017e nen\u00ed uvedeno, jak siln\u00fd \u00fatok to je. V posledn\u00edch letech jsou takto siln\u00e9 \u00fatoky celkem b\u011b\u017en\u00e9, tak\u017ee SMSky chod\u00ed pravideln\u011b. Technici se jen ujist\u00ed, \u017ee \u00fatok neomezuje slu\u017eby z\u00e1kazn\u00edk\u016f a d\u00e1le to ne\u0159e\u0161\u00ed. Nen\u00ed t\u0159eba.<\/p>\n

To, \u017ee m\u00e1 \u00fatok dopad na z\u00e1kaznick\u00e9 slu\u017eby monitorujeme jin\u00fdmi syst\u00e9my, a tak by p\u0159i\u0161lo zase jin\u00e9 upozorn\u011bn\u00ed. Nic se nestalo.\u00a0<\/p>\n

V\u011bt\u0161ina siln\u011bj\u0161\u00edch \u00fatok\u016f je slo\u017eena z v\u00edce men\u0161\u00edch. \u00dato\u010d\u00ed se r\u016fzn\u00fdmi zp\u016fsoby na odli\u0161n\u00e9 \u010d\u00e1sti s\u00edt\u011b. Pokud bychom se\u010detli v\u0161echen \u0161kodliv\u00fd provoz, kter\u00fd v t\u00e9 dob\u011b na n\u00e1s \u0161el, dos\u00e1hl by ve \u0161pi\u010dce 44,5 Gbps.<\/p>\n

Tohle byla jeho nejsiln\u011bj\u0161\u00ed \u010d\u00e1st. Jak vid\u00edte, \u00fato\u010dn\u00edk to zkusil po chv\u00edli znovu. U\u017e v\u0161ak k dispozici nem\u011bl takovou s\u00edlu. P\u0159i takto siln\u00fdch \u00fatoc\u00edch se \u010dasto cestou n\u011bco ucpe. Ne ka\u017ed\u00fd m\u00e1 3x 100 Gbps konektivitu jako my \ud83d\ude42<\/p>\n

\"\"<\/a><\/p>\n

Na n\u00e1sleduj\u00edc\u00edm grafu vid\u00edte i s\u00edlu v po\u010dtu odeslan\u00fdch paket\u016f. Pro v\u011bt\u0161inu ochran je n\u00e1ro\u010dn\u011bj\u0161\u00ed ust\u00e1t pr\u00e1v\u011b po\u010det paket\u016f ne\u017e celkov\u00e9 p\u0159enosy.<\/p>\n

\"\"<\/a><\/p>\n

DDoS ochrana pro klidn\u00e9 span\u00ed<\/h3>\n

V roce 2014 jsme si pro\u0161li kv\u016fli DDoS \u00fatok\u016fm t\u0159emi velmi n\u00e1ro\u010dn\u00fdmi m\u011bs\u00edci<\/a>. Tehdy jsme si \u0159ekli, \u017ee u\u017e nic podobn\u00e9ho nechceme nikdy za\u017e\u00edt, a tak jsme se pustili do stavby vlastn\u00ed DDoS ochrany. Investovali miliony korun a obrovsk\u00e9 mno\u017estv\u00ed \u010dasu. Na\u0161im c\u00edlem bylo vytvo\u0159it DDoS ochranu, kter\u00e1 by n\u00e1m zajistila klidn\u00e9 span\u00ed.<\/p>\n

Samoz\u0159ejm\u011b p\u0159ich\u00e1zeli dal\u0161\u00ed kru\u0161n\u00e9 chvilky. Objevily se nov\u00e9 formy \u00fatok\u016f, nar\u00e1\u017eeli jsme na limity zna\u010dkov\u00e9ho hardware i na\u0161ich dodavatel\u016f. Ale jak \u0161el za ty roky \u010das, nabrali jsme zku\u0161enosti a \u0159adu v\u011bc\u00ed vylep\u0161ili, proinvestovali miliony a sou\u010dasn\u00fd stav je takov\u00fd, \u017ee m\u016f\u017eeme zaspat i \u00fatok o s\u00edle 44,5 Gbps.<\/p>\n

Co bude s DDoS ochranou d\u00e1l?<\/h3>\n

DDoS ochranu si h\u00fd\u010dk\u00e1me a jsme na ni pat\u0159i\u010dn\u011b py\u0161n\u00ed. Sna\u017e\u00edme se, aby byla dostate\u010dn\u011b naddimenzovan\u00e1 a neust\u00e1le pokukujeme po nov\u00fdch technologi\u00edch. Je slo\u017eena z mnoha velmi v\u00fdkonn\u00fdch server\u016f rozm\u00edst\u011bn\u00fdch po s\u00edti (n\u011bkter\u00e9 jsou u dodavatel\u016f na\u0161\u00ed konektivity). Pot\u0159ebujete hlavn\u011b siln\u00fd v\u00fdpo\u010detn\u00ed v\u00fdkon a dostatek pam\u011bti.<\/p>\n

Aktu\u00e1ln\u011b jsme na\u0161i ochranu vylep\u0161ili i dnes v noci, ale o tom zase nap\u00ed\u0161eme p\u0159\u00ed\u0161t\u011b.<\/p>\n

Dal\u0161\u00ed velk\u00e9 vylep\u0161en\u00ed m\u00e1me napl\u00e1novan\u00e9 na tento rok. V p\u0159\u00edprav\u011b je slu\u017eba WEDOS AnyCast, kter\u00e1 zajist\u00ed, \u017ee v\u00e1\u0161 obsah u n\u00e1s bude dostupn\u00fd rychle a bezpe\u010dn\u011b z cel\u00e9ho sv\u011bta. Na vybran\u00e1 m\u00edsta (takzvan\u00e9 POPy) po sv\u011bt\u011b rozm\u00edst\u00edme na\u0161e servery, p\u0159es kter\u00e9 se budou p\u0159ipojovat va\u0161i zahrani\u010dn\u00ed n\u00e1v\u0161t\u011bvn\u00edci p\u0159\u00edmo k n\u00e1m.\u00a0 Sou\u010d\u00e1st\u00ed instalace budou i servery vyhrazen\u00e9 nap\u0159\u00edklad na CDN.<\/p>\n

Ov\u0161em d\u00e1me tam i servery pro lep\u0161\u00ed detekci a filtraci. To n\u00e1s posune zase o kus d\u00e1l. Z\u00edsk\u00e1me lep\u0161\u00ed p\u0159ehled o \u00fatoc\u00edch, efektivn\u011bj\u0161\u00ed filtraci a v p\u0159\u00edpad\u011b, \u017ee by n\u011bkdo rozjel opravdu extr\u00e9mn\u011b siln\u00fd \u00fatok, tak to v\u017edy odnese jen dan\u00fd POP. Tady u n\u00e1s v \u010cR to nepozn\u00e1te.<\/p>\n

Ot\u00e1zkou samoz\u0159ejm\u011b je, jak to bude ve sv\u011bt\u011b te\u010f.<\/p>\n

Z\u00e1v\u011br<\/h3>\n

Ob\u010das n\u00e1m p\u00ed\u0161ete, \u017ee chcete v\u011bd\u011bt o na\u0161\u00ed ochran\u011b v\u00edc a \u017ee chcete speci\u00e1ln\u00ed nastaven\u00ed. I to se p\u0159ipravuje. Jednak nap\u00ed\u0161eme v\u00edce informac\u00ed a jednak chceme p\u0159idat p\u0159\u00edplatkov\u00e9 slu\u017eby.\u00a0<\/p>\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Zrovna p\u0159ed t\u00fddnem jsem se pochlubili na soci\u00e1ln\u00edch s\u00edt\u00edch, jak na n\u00e1s po dlouh\u00e9 dob\u011b \u0161el zase jeden v\u011bt\u0161\u00ed DDoS \u00fatok (p\u0159enosy se vy\u0161plhaly na 32 Gbps p\u0159i 5ti minutov\u00fdch pr\u016fm\u011brech). No a m\u00e1lem jsem „zaspali“ rekordmana. Respektive zaspali, proto\u017ee jsme si toho ani nev\u0161imli.<\/p>\n","protected":false},"author":9,"featured_media":25912,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[112],"tags":[122,43],"class_list":["post-25874","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost","tag-ddos","tag-ddos-ochrana"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/25874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=25874"}],"version-history":[{"count":8,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/25874\/revisions"}],"predecessor-version":[{"id":26027,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/25874\/revisions\/26027"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/25912"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=25874"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=25874"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=25874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}