{"id":307521,"date":"2023-10-19T13:36:16","date_gmt":"2023-10-19T11:36:16","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=307521"},"modified":"2023-10-19T13:36:21","modified_gmt":"2023-10-19T11:36:21","slug":"waf-report-z-wedos-global-protection-za-zari-2023","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/waf-report-z-wedos-global-protection-za-zari-2023","title":{"rendered":"WAF report z WEDOS Global Protection za z\u00e1\u0159\u00ed 2023"},"content":{"rendered":"\n

V z\u00e1\u0159\u00ed jsme oproti pr\u00e1zdninov\u00fdm m\u011bs\u00edc\u016fm zaznamenali i vzr\u016fstaj\u00edc\u00ed po\u010det \u00fatok\u016f. V dne\u0161n\u00edm reportu se pod\u00edv\u00e1me po del\u0161\u00ed dob\u011b na „siln\u011bj\u0161\u00ed“ DDoS \u00fatoky na L3\/L4 a zat\u00edm z\u0159ejm\u011b na nejsiln\u011bj\u0161\u00ed L7 DDoS \u00fatok co do po\u010dtu po\u017eadavk\u016f za minutu. Samoz\u0159ejm\u011b probereme i budov\u00e1n\u00ed WEDOS Global Protection a na \u010dem aktu\u00e1ln\u011b pracujeme.<\/p>\n\n\n\n\n\n\n\n

I v z\u00e1\u0159\u00ed pokra\u010dovala v\u00fdznamn\u00e1 aktivita botnet\u016f, kter\u00e9 se zam\u011b\u0159ily na hled\u00e1n\u00ed zranitelnost\u00ed na webech a v obl\u00edben\u00fdch redak\u010dn\u00edch syst\u00e9mech. Velmi v\u00fdrazn\u00fd byl botnet prov\u00e1d\u011bj\u00edc\u00ed \u00fatoky z mobiln\u00edch za\u0159\u00edzen\u00ed v P\u00e1kist\u00e1nu. Byly dny, kdy tento botnet provedl i stovky tis\u00edc po\u017eadavk\u016f. Nicm\u00e9n\u011b p\u0159i t\u011bchto po\u010dtech u\u017e se na omezenou dobu aktivuj\u00ed blacklisty, tak\u017ee v re\u00e1lu bychom se dostali k jednotk\u00e1m milion\u016f.<\/p>\n\n\n\n

Jen pro zaj\u00edmavost, n\u011bkter\u00e9 dny byl jedn\u00edm z nej\u010dast\u011bji volan\u00fdch soubor\u016f xmlrpc.php<\/strong>. Co\u017e je obrovsk\u00e9 l\u00e1kadlo pro \u00fato\u010dn\u00edky. \u010casto zkou\u0161\u00ed existenci xmlrpc.php, i kdy\u017e na webu nem\u00e1te WordPress.<\/p>\n\n\n\n

\"\"<\/figure>
\n

Co je xmlrp.php?<\/strong><\/p>\n\n\n\n

Soubor xmlrpc.php ve WordPress slou\u017e\u00ed k poskytov\u00e1n\u00ed rozhran\u00ed XML-RPC, co\u017e je protokol, kter\u00fd umo\u017e\u0148uje komunikaci mezi WordPress a jin\u00fdmi syst\u00e9my. P\u0159esto\u017ee je tento soubor d\u016fle\u017eit\u00fd pro n\u011bkter\u00e9 funkce, m\u016f\u017ee b\u00fdt tak\u00e9 zraniteln\u00fd v\u016f\u010di \u00fatok\u016fm, pokud nen\u00ed spr\u00e1vn\u011b zabezpe\u010den.<\/p>\n\n\n\n

\u00dato\u010dn\u00edci mohou vyu\u017e\u00edvat xmlrpc.php k proveden\u00ed brute force \u00fatok\u016f na p\u0159ihla\u0161ovac\u00ed \u00fadaje. XML-RPC umo\u017e\u0148uje \u00fato\u010dn\u00edk\u016fm odeslat mnoho p\u0159ihla\u0161ovac\u00edch pokus\u016f v jedn\u00e9 \u017e\u00e1dosti, co\u017e je \u010din\u00ed efektivn\u011bj\u0161\u00edmi p\u0159i h\u00e1d\u00e1n\u00ed hesel.<\/p>\n\n\n\n

xmlrpc.php m\u016f\u017ee b\u00fdt tak\u00e9 zneu\u017eit k prov\u00e1d\u011bn\u00ed DDoS \u00fatok\u016f, kter\u00e9 p\u0159et\u011b\u017euj\u00ed server t\u00edm, \u017ee generuj\u00ed obrovsk\u00e9 mno\u017estv\u00ed po\u017eadavk\u016f, co\u017e m\u016f\u017ee v\u00e9st k p\u00e1du nebo zpomalen\u00ed webu.<\/p>\n\n\n\n

Pokud jsou na WordPress zranitelnosti, \u00fato\u010dn\u00edci mohou vyu\u017e\u00edt xmlrpc.php k vzd\u00e1len\u00e9mu spu\u0161t\u011bn\u00ed \u0161kodliv\u00e9ho k\u00f3du.<\/p>\n\n\n\n

\u00dato\u010dn\u00edci mohou tak\u00e9 zneu\u017e\u00edvat funkce XML-RPC k prov\u00e1d\u011bn\u00ed ne\u017e\u00e1douc\u00edch akc\u00ed jako je publikov\u00e1n\u00ed spamov\u00fdch p\u0159\u00edsp\u011bvk\u016f nebo koment\u00e1\u0159\u016f.<\/p>\n<\/div><\/div>\n\n\n\n

Samoz\u0159ejm\u011b nechyb\u011bly ani pokusy o hled\u00e1n\u00ed zranitelnost\u00ed prost\u0159ednictv\u00edm SQLi \u00fatok\u016f. V tom byl velice aktivn\u00ed hlavn\u011b p\u00e1kist\u00e1nsk\u00fd mobiln\u00ed botnet. Nicm\u00e9n\u011b nepolevovaly ani dal\u0161\u00ed botnety z dal\u0161\u00edch zem\u00ed jako t\u0159eba \u010c\u00edna. Ty jsou charakteristick\u00e9 hlavn\u011b pou\u017e\u00edv\u00e1n\u00edm IPv6. V \u010c\u00edn\u011b se hojn\u011b vyu\u017e\u00edv\u00e1 IPv6, tak\u017ee je t\u0159eba d\u00e1vat si pozor i na to. \u0158ada mobiln\u00edch oper\u00e1tor\u016f p\u0159id\u011bluje novou IPv6 po p\u0159ipojen\u00ed do s\u00edt\u011b, tak\u017ee standardn\u00ed \u0159e\u0161en\u00ed na principu fail2ban nemus\u00ed b\u00fdt pro jednotliv\u00e9 IPv6 ide\u00e1ln\u00ed.<\/p>\n\n\n\n

\"\"<\/figure>
\n

Co je to SQLi?<\/strong><\/p>\n\n\n\n

SQLi (SQL injection), je typ \u00fatoku sm\u011b\u0159uj\u00edc\u00ed na datab\u00e1ze. P\u0159i tomto \u00fatoku se nepovolen\u00e9 SQL p\u0159\u00edkazy vkl\u00e1daj\u00ed do vstupn\u00edch pol\u00ed aplikace s c\u00edlem manipulovat nebo z\u00edskat p\u0159\u00edstup k datab\u00e1zi. Kdy\u017e aplikace neov\u011b\u0159uje a nespr\u00e1vn\u011b zpracov\u00e1v\u00e1 u\u017eivatelsk\u00fd vstup, m\u016f\u017ee to \u00fato\u010dn\u00edkovi umo\u017enit spustit vlastn\u00ed SQL k\u00f3d v datab\u00e1zi. D\u016fsledky SQLi mohou zahrnovat naru\u0161en\u00ed integrity dat, ztr\u00e1tu dat, z\u00edsk\u00e1n\u00ed citliv\u00fdch informac\u00ed a v n\u011bkter\u00fdch p\u0159\u00edpadech i \u00fapln\u00e9 ovl\u00e1dnut\u00ed datab\u00e1ze \u010di hostitelsk\u00e9ho syst\u00e9mu.<\/p>\n<\/div><\/div>\n\n\n\n

Co se t\u00fdk\u00e1 obl\u00edben\u00fdch L7 DDoS \u00fatok\u016f, tak tam jsme \u017e\u00e1dn\u00fd nov\u00fd trend nezaznamenali. Opakuje se po\u0159\u00e1d to sam\u00e9, co u\u017e jsme vid\u011bli, a na co jsme p\u0159ipraveni. Nicm\u00e9n\u011b je nutn\u00e9 podotknout, \u017ee \u00fatoky jsou intenzivn\u011bj\u0161\u00ed, zvl\u00e1\u0161t\u011b pokud jsou vedeny z napaden\u00fdch server\u016f. <\/p>\n\n\n\n

WEDOS Global<\/h2>\n\n\n\n

WEDOS Global je na\u0161e celosv\u011btov\u00e1 infrastruktura postaven\u00e1 na BGP Anycast a reverzn\u00edch proxy. Hlavn\u00ed my\u0161lenka je stahovat si p\u0159es BGP n\u00e1v\u0161t\u011bvnost z okol\u00ed do lokalit, kde m\u00e1me n\u00e1\u0161 hardware s reverzn\u00edmi proxy, a tam s provozem d\u00e1le pracovat. V ka\u017ed\u00e9 lokalit\u011b jej tak filtrujeme, cachujeme, um\u00edme p\u0159ekl\u00e1dat protokol (HTTP\/1.1 na HTTP\/3) anebo poskytnout IPv6, i kdy\u017e jej na webhostingu\/serveru nem\u00e1te.<\/p>\n\n\n\n

V podstat\u011b reverzn\u00ed proxy mohou d\u011blat cokoliv a to decentralizovan\u011b po cel\u00e9m sv\u011bt\u011b, doslova za rohem od n\u00e1v\u0161t\u011bvn\u00edka. Experimentujeme s \u0159adou v\u011bc\u00ed, kter\u00e9 v\u00e1\u0161 web posunou na novou \u00farove\u0148 a to bez nutnosti cokoliv upravovat na va\u0161em serveru. Sta\u010d\u00ed jen nasm\u011brovat dom\u00e9nu pomoc\u00ed DNS a to je v\u0161e.<\/p>\n\n\n\n

Tento report ale nen\u00ed o tom, jak v\u00e1m zrychl\u00edme web, anebo vy\u0159e\u0161\u00edme n\u011bkter\u00e9 technick\u00e9 nedostatky. To si nech\u00e1me na samostatn\u00fd \u010dl\u00e1nek \ud83d\ude42<\/p>\n\n\n\n

WEDOS Global jako celosv\u011btov\u00e1 s\u00ed\u0165 mus\u00ed b\u00fdt hlavn\u011b rychl\u00e1. K tomu pot\u0159ebujeme b\u00fdt v d\u016fle\u017eit\u00fdch lokalit\u00e1ch, propojit se do hlavn\u00edch v\u00fdm\u011bnn\u00fdch uzl\u016f (IXP) a poladit peering, aby v\u0161echna data putovala v\u017edy nejkrat\u0161\u00ed cestou.<\/p>\n\n\n\n

\"\"<\/figure>
\n

Co je to IXP peering?<\/strong><\/p>\n\n\n\n

Peering je dohoda mezi dv\u011bma poskytovateli internetov\u00fdch slu\u017eeb (ISP), kter\u00e1 umo\u017e\u0148uje, aby jejich s\u00ed\u0165ov\u00fd provoz proch\u00e1zel p\u0159\u00edmo mezi nimi, ani\u017e by musel proj\u00edt t\u0159et\u00ed stranou. <\/p>\n\n\n\n

Tento p\u0159\u00edm\u00fd p\u0159enos dat m\u016f\u017ee zv\u00fd\u0161it rychlost a spolehlivost internetov\u00e9ho p\u0159ipojen\u00ed, proto\u017ee \u00fadaje nemus\u00ed cestovat tak daleko nebo p\u0159es dal\u0161\u00ed r\u016fzn\u00e9 s\u00edt\u011b. Tak\u00e9 to m\u016f\u017ee sn\u00ed\u017eit n\u00e1klady, proto\u017ee ob\u011b strany se mohou vyhnout poplatk\u016fm, kter\u00e9 by jinak mohly platit t\u0159et\u00edm stran\u00e1m za p\u0159enos dat.<\/p>\n\n\n\n

Peering obvykle prob\u00edh\u00e1 na tzv. internetov\u00fdch v\u00fdm\u011bnn\u00fdch bodech (IXP), kde m\u016f\u017ee mnoho ISP propojit sv\u00e9 s\u00edt\u011b dohromady.<\/p>\n<\/div><\/div>\n\n\n\n

Nov\u00e9 lokality<\/h3>\n\n\n\n

V z\u00e1\u0159\u00ed jsme p\u0159idali novou lokalitu Irsko (Dublin). V nov\u00e9 lokalit\u011b m\u00e1me 45 na\u0161ich vlastn\u00edch fyzick\u00fdch server\u016f, 3 switche a domluvenou konektivitu 100 Gbps s mo\u017enost\u00ed \u0161k\u00e1lov\u00e1n\u00ed. V\u0161e je tak\u00e9 p\u0159ipraveno na p\u0159\u00edpadn\u00e9 propojen\u00ed do lok\u00e1ln\u00edch s\u00edt\u00ed p\u0159es p\u0159edsazen\u00fd switch Arista, pokud to v budoucnu zlep\u0161\u00ed kvalitu slu\u017eeb, anebo pokud v Irsku budeme m\u00edt v\u011bt\u0161\u00ed po\u010det m\u00edstn\u00edch z\u00e1kazn\u00edk\u016f.<\/p>\n\n\n\n

\nhttps:\/\/blog.wedos.cz\/spusteni-nove-lokality-wedos-global-v-irsku\n<\/div><\/figure>\n\n\n\n

Nov\u00e9 propoje (peeringy)<\/h3>\n\n\n\n

Koncem srpna jsme spustili nov\u00fd propoj (peering) do LINX (London Internet Exchange) viz. \u010dl\u00e1nek na blogu Nov\u00e9 p\u0159\u00edm\u00e9 propojen\u00ed s LINX posiluje na\u0161i celosv\u011btovou infrastrukturu WEDOS Global<\/a>. B\u011bhem z\u00e1\u0159\u00ed jsme detailn\u011b analyzovali provoz a postupn\u011b v\u0161e ladili ke spokojenosti na\u0161ich z\u00e1kazn\u00edk\u016f.<\/p>\n\n\n\n

Dal\u0161\u00ed propoj, kter\u00fd jsme realizovali, je do Netnod. Jedn\u00e1 se o v\u00fdznamn\u00e9 IXP sdru\u017euj\u00edc\u00ed ISP ze seversk\u00fdch zem\u00ed. Propojili jsme se do Netnode v lokalit\u011b \u0160v\u00e9dsko a Finsko. <\/p>\n\n\n\n

\nhttps:\/\/blog.wedos.cz\/wedos-global-se-propojil-do-ixp-netnod-bude-tak-rychlejsi-pro-uzivatele-ze-severskych-statu\n<\/div><\/figure>\n\n\n\n

I d\u00edky t\u011bmto propoj\u016fm se WEDOS Global podle nez\u00e1visl\u00e9ho m\u011b\u0159en\u00ed mezi celosv\u011btov\u00fdmi DNS usadil v TOP 25 na sv\u011bt\u011b a v TOP 10 v Evrop\u011b. My si ale v\u011b\u0159\u00edme a TOP 5 v Evrop\u011b d\u00e1me do p\u00e1r m\u011bs\u00edc\u016f \ud83d\ude42<\/p>\n\n\n\n

Chcete se o WEDOS Global dozv\u011bd\u011bt v\u00edce?<\/h3>\n\n\n\n

Pokud v\u00e1s zaj\u00edm\u00e1 WEDOS Global a r\u00e1di byste se dozv\u011bd\u011bli v\u00edce o pokro\u010dil\u00fdch technologi\u00edch kter\u00e9 pou\u017e\u00edv\u00e1me, tak pro hlub\u0161\u00ed a detailn\u00ed pohled do technologick\u00e9 architektury, na n\u00ed\u017e je postavena infrastruktura WEDOS Global, v\u00e1m doporu\u010dujeme poslechnout si na\u0161i p\u0159edn\u00e1\u0161ku z konference Kubernetes Community Days Czech & Slovak 2023. Tuto odbornou prezentaci vedli dva kolegov\u00e9, kte\u0159\u00ed hraj\u00ed kl\u00ed\u010dovou roli ve v\u00fdvoji WEDOS Global.<\/p>\n\n\n\n

\n