{"id":278896,"date":"2023-09-19T22:16:57","date_gmt":"2023-09-19T20:16:57","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=278896"},"modified":"2023-09-19T22:17:06","modified_gmt":"2023-09-19T20:17:06","slug":"waf-report-z-wedos-global-protection-za-srpen-2023","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/waf-report-z-wedos-global-protection-za-srpen-2023","title":{"rendered":"WAF report z WEDOS Global Protection za srpen 2023"},"content":{"rendered":"\n

Druh\u00fd pr\u00e1zdninov\u00fd m\u011bs\u00edc rozhodn\u011b nebyl \u010das odpo\u010dinku. Jednak jsme pokra\u010dovali v budov\u00e1n\u00ed WEDOS Global, ale tak\u00e9 museli \u0159e\u0161it vzr\u016fstaj\u00edc\u00ed aktivitu n\u011bkter\u00fdch botnet\u016f, kter\u00e9 prim\u00e1rn\u011b nem\u011bly v \u00famyslu prov\u00e1d\u011bt DDoS \u00fatoky, ale hledaly zranitelnosti. Kdy\u017e se pak sesypaly v jeden okam\u017eik jejich requesty, tak n\u011bkter\u00e9 na\u0161e z\u00e1kazn\u00edky dok\u00e1zaly nemile potr\u00e1pit.<\/p>\n\n\n\n\n\n\n\n

V posledn\u00edch m\u011bs\u00edc\u00edch obecn\u011b roste po\u010det \u00fatok\u016f SQLi. Tyto \u00fatoky v mal\u00e9 m\u00ed\u0159e jedou prakticky nep\u0159etr\u017eit\u011b a \u00fato\u010d\u00edc\u00ed botnety se sna\u017e\u00ed b\u00fdt nen\u00e1padn\u00e9. V\u011bt\u0161inou je odhal\u00edme d\u00edky agregaci dat z v\u00edce jak stovek tis\u00edc dom\u00e9n, kter\u00e9 u n\u00e1s hostuj\u00ed. Nicm\u00e9n\u011b v srpnu to \u00fato\u010dn\u00edci rozjeli opravdu ve velk\u00e9m a jedna IP adresa zkusila za den t\u0159eba i n\u011bkolik milion\u016f request\u016f. <\/p>\n\n\n\n

\"\"<\/figure>
\n

Co je to SQLi?<\/strong><\/p>\n\n\n\n

SQLi (SQL injection), je typ \u00fatoku sm\u011b\u0159uj\u00edc\u00ed na datab\u00e1ze. P\u0159i tomto \u00fatoku se nepovolen\u00e9 SQL p\u0159\u00edkazy vkl\u00e1daj\u00ed do vstupn\u00edch pol\u00ed aplikace s c\u00edlem manipulovat nebo z\u00edskat p\u0159\u00edstup k datab\u00e1zi. Kdy\u017e aplikace neov\u011b\u0159uje a nespr\u00e1vn\u011b zpracov\u00e1v\u00e1 u\u017eivatelsk\u00fd vstup, m\u016f\u017ee to \u00fato\u010dn\u00edkovi umo\u017enit spustit vlastn\u00ed SQL k\u00f3d v datab\u00e1zi. D\u016fsledky SQLi mohou zahrnovat naru\u0161en\u00ed integrity dat, ztr\u00e1tu dat, z\u00edsk\u00e1n\u00ed citliv\u00fdch informac\u00ed a v n\u011bkter\u00fdch p\u0159\u00edpadech i \u00fapln\u00e9 ovl\u00e1dnut\u00ed datab\u00e1ze \u010di hostitelsk\u00e9ho syst\u00e9mu.<\/p>\n<\/div><\/div>\n\n\n\n

Do \u00fatok\u016f se nav\u00edc ke konci srpna ve velk\u00e9m zapojili i IP adresy z \u010c\u00edny. Po detailn\u011bj\u0161\u00ed anal\u00fdze jsme zjistili, \u017ee se jedn\u00e1 o p\u0159\u00edstupy p\u0159ev\u00e1\u017en\u011b z mobiln\u00edch za\u0159\u00edzen\u00ed. Z\u0159ejm\u011b se jedn\u00e1 o n\u011bjakou rozs\u00e1hlej\u0161\u00ed infekci malware. V \u010c\u00edn\u011b se hojn\u011b vyu\u017e\u00edv\u00e1 IPv6, tak\u017ee je t\u0159eba d\u00e1vat si pozor i na to. Na\u0161t\u011bst\u00ed na \u00fatoky p\u0159es IPv6 jsme u\u017e roky dob\u0159e p\u0159ipraveni jak softwarov\u011b, tak i hardwarov\u011b.<\/p>\n\n\n\n

Koncem srpna za\u010dali ru\u0161t\u00ed hacke\u0159i \u00fato\u010dit na \u010desk\u00e9 finan\u010dn\u00ed instituce. Situaci jsme detailn\u011b monitorovali. Z\u00e1kazn\u00edk\u016fm z \u0159ad finan\u010dn\u00edch instituc\u00ed, kte\u0159\u00ed maj\u00ed slu\u017eby u n\u00e1s, se \u00fato\u010dn\u00edci vyhnuli. Naposledy jsme \u00fasp\u011b\u0161n\u011b eliminovali \u00fatoky t\u00e9to skupiny p\u0159i prezidentsk\u00fdch volb\u00e1ch, kdy na jednoho na\u0161eho z\u00e1kazn\u00edka ne\u00fasp\u011b\u0161n\u011b \u00fato\u010dili b\u011bhem prvn\u00edho kola. V druh\u00e9m u\u017e jej vynechali. <\/p>\n\n\n\n

WEDOS Global<\/h2>\n\n\n\n

WEDOS Global je na\u0161e celosv\u011btov\u00e1 infrastruktura postaven\u00e1 na BGP Anycast a reverzn\u00edch proxy. Hlavn\u00ed my\u0161lenka je stahovat si p\u0159es BGP n\u00e1v\u0161t\u011bvnost z okol\u00ed do lokalit, kde m\u00e1me hardware, a tam provoz filtrovat, cachovat odpov\u011bdi atd. D\u00edky tomu dok\u00e1\u017eeme odolat i velmi siln\u00fdm DDoS \u00fatok\u016fm, proto\u017ee jejich nejv\u011bt\u0161\u00ed s\u00edla se st\u00e1v\u00e1 jejich slabinou. <\/p>\n\n\n\n

Aktu\u00e1ln\u011b m\u00e1me na\u0161e vlastn\u00ed fyzick\u00e9 servery ve 24 lokalit\u00e1ch. V ka\u017ed\u00e9 minim\u00e1ln\u011b 45 fyzick\u00fdch server\u016f a 2 switche a garantovanou konektivitu alespo\u0148 100 Gbps. Na dal\u0161\u00edch lokalit\u00e1ch pracujeme.<\/p>\n\n\n\n

Infrastrukturu pou\u017e\u00edv\u00e1me pro provoz Anycast DNS a na\u0161\u00ed slu\u017eby WEDOS Global Protection. Do budoucna p\u0159ibudou dal\u0161\u00ed slu\u017eby. <\/p>\n\n\n\n

Lokality<\/h3>\n\n\n\n

V srpnu jsme \u017e\u00e1dnou dal\u0161\u00ed lokalitu nespustili.<\/p>\n\n\n\n

Aktu\u00e1ln\u011b m\u00e1me rozpracovanou lokalitu Irsko (Dublin)<\/strong>, kde servery, switche a dal\u0161\u00ed hardware u\u017e m\u00e1me na m\u00edst\u011b, a nyn\u00ed \u010dek\u00e1me, a\u017e n\u00e1m v\u0161e zapoj\u00ed. <\/p>\n\n\n\n

Pos\u00edlen\u00ed lokality Hlubok\u00e1 nad Vltavou (olej)<\/h4>\n\n\n\n

Jedna z d\u016fle\u017eit\u00fdch lokalit, kter\u00e1 odbavuje v\u011bt\u0161inu provozu v \u010cesku, je v na\u0161em datacentru WEDOS DC2. Jedn\u00e1 se o 90 fyzick\u00fdch server\u016f a 4 switche, kter\u00e9 jsou chlazeny v olejov\u00e9 l\u00e1zni. Jedn\u00e1 se o velice ekonomick\u00e9 a p\u0159itom ekologick\u00e9 \u0159e\u0161en\u00ed.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

U tohoto bodu jsme u v\u0161ech server\u016f nav\u00fd\u0161ili RAM. D\u016fvodem je p\u0159\u00edprava na testov\u00e1n\u00ed nov\u00fdch funkcionalit, kter\u00e9 WEDOS Global m\u016f\u017ee poskytovat, a lep\u0161\u00ed a d\u016fkladn\u011bj\u0161\u00ed anal\u00fdza provozu pro hled\u00e1n\u00ed a eliminaci kybernetick\u00fdch hrozeb v re\u00e1ln\u00e9m \u010dase.<\/p>\n\n\n\n

Nov\u00e9 peeringy (propoje)<\/h3>\n\n\n\n

Aktu\u00e1ln\u011b jsou DNS WEDOS Global v TOP 25 na sv\u011bt\u011b, ale pokud chceme b\u00fdt je\u0161t\u011b lep\u0161\u00ed, tak je neust\u00e1l\u00e1 expanze a optimalizace na\u0161ich propoj\u016f nezbytn\u00e1. Nov\u00fdmi lokalitami se u\u017e moc d\u00e1l neposuneme. Tak\u017ee v u\u017e existuj\u00edc\u00edch lokalit\u00e1ch mus\u00edme hledat partnery \u010di IXP sdru\u017euj\u00edc\u00ed velk\u00fd po\u010det s\u00edt\u00ed anebo u\u017eivatel\u016f.<\/p>\n\n\n\n

\"\"<\/figure>
\n

Co je to IXP peering?<\/strong><\/p>\n\n\n\n

Peering je dohoda mezi dv\u011bma poskytovateli internetov\u00fdch slu\u017eeb (ISP), kter\u00e1 umo\u017e\u0148uje, aby jejich s\u00ed\u0165ov\u00fd provoz proch\u00e1zel p\u0159\u00edmo mezi nimi, ani\u017e by musel proj\u00edt t\u0159et\u00ed stranou. <\/p>\n\n\n\n

Tento p\u0159\u00edm\u00fd p\u0159enos dat m\u016f\u017ee zv\u00fd\u0161it rychlost a spolehlivost internetov\u00e9ho p\u0159ipojen\u00ed, proto\u017ee \u00fadaje nemus\u00ed cestovat tak daleko nebo p\u0159es dal\u0161\u00ed r\u016fzn\u00e9 s\u00edt\u011b. Tak\u00e9 to m\u016f\u017ee sn\u00ed\u017eit n\u00e1klady, proto\u017ee ob\u011b strany se mohou vyhnout poplatk\u016fm, kter\u00e9 by jinak mohly platit t\u0159et\u00edm stran\u00e1m za p\u0159enos dat.<\/p>\n\n\n\n

Peering obvykle prob\u00edh\u00e1 na tzv. internetov\u00fdch v\u00fdm\u011bnn\u00fdch bodech (IXP), kde m\u016f\u017ee mnoho ISP propojit sv\u00e9 s\u00edt\u011b dohromady.<\/p>\n<\/div><\/div>\n\n\n\n

LINX<\/h4>\n\n\n\n

LINX (London Internet Exchange) je jeden z nejv\u011bt\u0161\u00edch internetov\u00fdch v\u00fdm\u011bnn\u00fdch bod\u016f (IXP) na sv\u011bt\u011b a nach\u00e1z\u00ed se v Lond\u00fdn\u011b (Velk\u00e1 Brit\u00e1nie), kde m\u00e1me tak\u00e9 jeden bod WEDOS Global. V srpnu se n\u00e1m poda\u0159ilo dot\u00e1hnout v\u0161e pot\u0159ebn\u00e9. V\u00edce v samostatn\u00e9m \u010dl\u00e1nku Nov\u00e9 p\u0159\u00edm\u00e9 propojen\u00ed s LINX posiluje na\u0161i celosv\u011btovou infrastrukturu WEDOS Global<\/a><\/p>\n\n\n\n

Dal\u0161\u00ed propoje<\/h4>\n\n\n\n

B\u011bhem letn\u00edch m\u011bs\u00edc\u016f jsme nezah\u00e1leli a \u00fasp\u011b\u0161n\u011b domluvili dal\u0161\u00ed propoje, kter\u00e9 postupn\u011b realizujeme v n\u00e1sleduj\u00edc\u00edch m\u011bs\u00edc\u00edch. Konkr\u00e9tn\u011b se jedn\u00e1 o \u0160v\u00e9dsko, Finsko (FICIX), Norsko a D\u00e1nsko.<\/p>\n\n\n\n

V Amsterdamu (Holandsko) domlouv\u00e1me propoj do AMS-IX (Amsterdam Internet Exchange), co\u017e je jeden z nejv\u011bt\u0161\u00edch v\u00fdm\u011bnn\u00fdch bod\u016f na sv\u011bt\u011b.<\/p>\n\n\n\n

Dal\u0161\u00ed, jako nap\u0159\u00edklad VIX.at, BIX.hu, SIX.sk a mnoho dal\u0161\u00edch, jsou v procesu.<\/p>\n\n\n\n

Chcete se o WEDOS Global dozv\u011bd\u011bt v\u00edce?<\/h3>\n\n\n\n

Pokud v\u00e1s zaj\u00edm\u00e1 WEDOS Global a r\u00e1di byste se dozv\u011bd\u011bli v\u00edce o pokro\u010dil\u00fdch technologi\u00edch kter\u00e9 pou\u017e\u00edv\u00e1me, tak pro hlub\u0161\u00ed a detailn\u00ed pohled do technologick\u00e9 architektury, na n\u00ed\u017e je postavena infrastruktura WEDOS Global, v\u00e1m doporu\u010dujeme poslechnout si na\u0161i p\u0159edn\u00e1\u0161ku z konference Kubernetes Community Days Czech & Slovak 2023. Tuto odbornou prezentaci vedli dva kolegov\u00e9, kte\u0159\u00ed hraj\u00ed kl\u00ed\u010dovou roli ve v\u00fdvoji WEDOS Global.<\/p>\n\n\n\n

\n