{"id":39225,"date":"2016-11-16T08:07:16","date_gmt":"2016-11-16T07:07:16","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=39225"},"modified":"2020-08-27T10:56:19","modified_gmt":"2020-08-27T08:56:19","slug":"otazky-a-odpovedi-k-ddos-ochrane-wedos","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/otazky-a-odpovedi-k-ddos-ochrane-wedos","title":{"rendered":"Ot\u00e1zky a odpov\u011bdi k DDoS ochran\u011b WEDOS"},"content":{"rendered":"\n

V dne\u0161n\u00edm \u010dl\u00e1nku nejen zodpov\u00edme va\u0161e ot\u00e1zky ohledn\u011b na\u0161\u00ed DDoS ochrany, ale tak\u00e9 se dozv\u00edte o n\u011bkolika pl\u00e1novan\u00fdch novink\u00e1ch. Na n\u011bkter\u00e9 ot\u00e1zky nelze odpov\u011bd\u011bt detailn\u011b, abychom moc neprozradili. D\u011bkujeme za pochopen\u00ed.<\/p>\n\n\n\n\n\n\n\n

Ot\u00e1zky ze soci\u00e1ln\u00edch s\u00edt\u00ed a odpov\u011bdi<\/h2>\n\n\n\n

Na VPS m\u00e1m p\u0159iplacenou slu\u017ebu Ochrana proti DDoS \u00fatoku, ale tak n\u011bjak mi chyb\u00ed kontrola nad t\u00edm, jestli tato ochrana funguje … pl\u00e1nujete do budoucna n\u011bjak\u00e9 webov\u00e9 rozhran\u00ed se statistikama o DDoS \u00fatoc\u00edch na konkr\u00e9tn\u00ed VPS? <\/strong><\/h3>\n\n\n\n

Ano, pl\u00e1nujeme, \u017ee informace budou p\u0159\u00edmo v administraci a bude si mo\u017en\u00e9 p\u0159ikoupit i v\u00fdkonn\u011bj\u0161\u00ed filtraci nebo speci\u00e1ln\u00ed pravidla.<\/p>\n\n\n\n

Jak je to s ochranou VPS?\ufeff (jak funguje)<\/strong><\/h3>\n\n\n\n

Aktu\u00e1ln\u011b je to tak, \u017ee u VPS se p\u0159i ur\u010dit\u00fdch \u00farovn\u00edch aktivuje DDoS ochrana a provoz filtrujeme. Pokud je \u00fatok siln\u011bj\u0161\u00ed, ne\u017e m\u00e1me stanoven\u00e9 hodnoty, tak situaci \u0159e\u0161\u00edme r\u016fzn\u00fdmi omezen\u00edmi provozu (omezen\u00ed p\u0159enosov\u00e9ho p\u00e1sma, blokace ur\u010dit\u00e9ho protokolu, blackholing apod.) tak, aby nedo\u0161lo ke komplikac\u00edm u ostatn\u00edch klient\u016f. Detaily zve\u0159ejn\u00edme v okam\u017eiku, kdy budeme nab\u00edzet v\u00edce informac\u00ed p\u0159\u00edmo v administraci VPS.<\/p>\n\n\n\n

B\u011bhem zimy chceme nab\u00eddnout mo\u017enost si p\u0159ikoupit lep\u0161\u00ed ochranu  nebo individu\u00e1ln\u011b nastavenou ochranu nebo ochranu a\u017e do n\u011bjak\u00e9 \u00farovn\u011b (nap\u0159\u00edklad filtraci 3 Gbps).  Mezi zaj\u00edmav\u00e9 novinky bude ur\u010dit\u011b pat\u0159it i to, \u017ee budeme nab\u00edzet mo\u017enost p\u0159ikoupit si ochranu na jednotliv\u00e9 zem\u011b (bu\u010f si ur\u010ditou zemi povol\u00edte nebo naopak zak\u00e1\u017eete). To bude zaj\u00edmav\u00e9 nap\u0159\u00edklad na slu\u017eby, kter\u00e9 jsou zam\u011b\u0159en\u00e9 na \u010desk\u00fd a slovensk\u00fd trh. Provoz z ostatn\u00edch zem\u00ed m\u016f\u017eete omezit a t\u00edm sv\u016fj web ochr\u00e1n\u00edte p\u0159es v\u011bt\u0161inou pokus\u016f.  <\/p>\n\n\n\n

Od jak\u00e9 s\u00edly \u00fatoku zablokujete p\u0159\u00edstup k IP adrese z internetu?<\/strong><\/h3>\n\n\n\n

Tohle je velmi individu\u00e1ln\u00ed, ka\u017ed\u00fd \u00fatok je jedine\u010dn\u00fd. Li\u0161\u00ed se to podle typu \u00fatoku a n\u00e1sledk\u016f. N\u011bkdy jsou probl\u00e9my ji\u017e p\u0159i mal\u00e9m provozu v \u0159\u00e1du des\u00edtek kbps a jindy naopak nevad\u00ed provoz i n\u011bkolika Gbps. <\/p>\n\n\n\n

Zaznamenali jste \u00fatok, kter\u00fd neum\u00edte odfiltrovat?<\/strong><\/h3>\n\n\n\n

S t\u00edm se samoz\u0159ejm\u011b setk\u00e1v\u00e1me. Jsou st\u00e1le nov\u00e9 a nov\u00e9 druhy \u00fatok\u016f. Ka\u017edou nezn\u00e1mou hrozbu se sna\u017e\u00edme analyzovat a upravit v\u0161e tak, aby to p\u0159\u00ed\u0161t\u011b bylo automaticky blokovan\u00e9. Je to neust\u00e1l\u00fd v\u00fdvoj, kter\u00fd zabere obrovsk\u00e9 mno\u017estv\u00ed \u010dasu. <\/p>\n\n\n\n

Psali jste \u017ee u\u017e bylo 300.000 \u00fatok\u016f za 2 roky. Tomu moc nev\u011b\u0159\u00edm. Co po\u010d\u00edt\u00e1te jako \u00fatok? <\/strong><\/h3>\n\n\n\n

Nem\u00e1me d\u016fvod si vym\u00fd\u0161let po\u010dty \u00fatok\u016f. Jako \u00fatok po\u010d\u00edt\u00e1me chov\u00e1n\u00ed s\u00edt\u011b, kdy jsou v\u00fdrazn\u011b (mnohon\u00e1sobn\u011b) p\u0159ekro\u010den\u00e9 hodnoty b\u011b\u017en\u00e9ho provozu. Sledujeme provoz v s\u00edti celkov\u011b, sledujeme a m\u011b\u0159\u00edme provoz v jednotliv\u00fdch segmentech a sledujeme a m\u011b\u0159\u00edme provoz na jednotliv\u00e9 IP adresy. To v\u0161e se vyhodnocuje online a porovn\u00e1v\u00e1 s p\u0159edem nastaven\u00fdmi hodnotami, p\u0159\u00edpadn\u011b se to porovn\u00e1v\u00e1 s hodnotami je\u017e pova\u017eujeme za b\u011b\u017en\u00fd provoz v uvedenou dobu a den (jin\u00fd provoz ve dne a jin\u00fd  noci apod.).<\/p>\n\n\n\n


Nov\u011b zaveden\u00e1 IDS\/IPS ochrana odchyt\u00e1v\u00e1 a\u017e stovky po\u017eadavk\u016f za sekundu. To je jin\u00e1 forma ochrany a ta \u010detnost \u00fatok\u016f je mnohon\u00e1sobn\u011b vy\u0161\u0161\u00ed.<\/p>\n\n\n\n

Jak\u00e9 servery a routery pro ochranu pou\u017e\u00edv\u00e1te? Jejich v\u00fdkon a konfigurace?<\/strong><\/h3>\n\n\n\n

Aktu\u00e1ln\u011b to m\u00e1me trochu ne\u0161\u0165astn\u011b \u0159e\u0161en\u00e9, proto\u017ee jsme ochranu budovali postupn\u011b a vlastn\u011b jsme nev\u011bd\u011bli co pot\u0159ebujeme a jak to nakonec bude. Tak\u017ee jsme kupovali servery postupn\u011b a vzhledem k nal\u00e9havosti jsme kupovali to, co bylo okam\u017eit\u011b k dispozici. Kdo si vzpom\u00edn\u00e1 \u00fatoky z roku 2014, tak ch\u00e1pe nal\u00e9havost situace. Servery maj\u00ed siln\u00e9 procesory XEON a to co nejv\u00edce j\u00e1dry a vl\u00e1kny (2×20) a o nejvy\u0161\u0161\u00ed frekvenc\u00ed.  Celkov\u011b je tam p\u0159es 1 TB RAM a n\u011bkolik TB prostoru pro data k n\u00e1sledn\u00e9 anal\u00fdze. V\u0161e m\u00e1 s\u00ed\u0165ov\u00e9 karty 10Gbps, p\u0159i\u010dem\u017e v n\u011bkter\u00fdch serverech je jich nap\u0159\u00edklad 6 (tak\u017ee uveden\u00fd server m\u016f\u017ee \u0159e\u0161it situace a\u017e do 60 Gbps).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

V\u0161e chceme postupn\u011b nahradit jednotn\u00fdm \u0159e\u0161en\u00edm HW, proto\u017ee je to jednak nesyst\u00e9mov\u00e1 v\u011bc v na\u0161\u00ed infrastruktu\u0159e. Ostatn\u00ed servery m\u00e1me v\u017edy identick\u00e9 a l\u00e9pe se to servisuje a upgraduje.  <\/p>\n\n\n\n

Ochrana IDS\/IPS je tvo\u0159ena na\u0161imi „b\u011b\u017en\u00fdmi“ servery a aktu\u00e1ln\u011b to jsou 4 servery, kdy ka\u017ed\u00fd m\u00e1 2×20 vl\u00e1ken CPU a k tomu 384 GB RAM a SSD disky na logy (je tam n\u011bkolik TB dat s informacemi o \u00fatoc\u00edch ka\u017ed\u00fd den).<\/p>\n\n\n\n

Je DDoS ochrana tak\u00e9 redundantn\u00ed?<\/strong><\/h3>\n\n\n\n

\u010c\u00e1ste\u010dn\u011b. Ochrana chr\u00e1n\u00ed v\u0161echny na\u0161e uplinky. Aktu\u00e1ln\u011b m\u00e1me 3 optick\u00e9 trasy a na ka\u017ed\u00e9 z nich um\u00edme filtrovat. Nyn\u00ed budeme m\u00edt 4 linku a p\u0159ipravujeme se, \u017ee b\u011bhem jara nasad\u00edme 100 Gbps<\/strong>. Pokud by do\u0161lo k v\u00fdpadku n\u011bkter\u00e9ho prvku, tak by aktu\u00e1ln\u011b mohlo doch\u00e1zet k drobn\u00fdm zpo\u017ed\u011bn\u00edm nebo nedokonal\u00e9 filtraci, proto\u017ee ka\u017ed\u00fd server m\u00e1 za \u00fakol trochu n\u011bco jin\u00e9ho a vz\u00e1jemn\u011b se dopl\u0148uj\u00ed. Pln\u00e1 redundance bude v okam\u017eiku, kdy nasad\u00edme nov\u00e9 servery a sou\u010dasn\u00e9 budou pou\u017eity jako z\u00e1lo\u017en\u00ed \u0159e\u0161en\u00ed.<\/p>\n\n\n\n

Z\u00e1rove\u0148  p\u0159i nasazen\u00ed 100 Gbps bude nutn\u00e9 prov\u00e1d\u011bt balancov\u00e1n\u00ed a to ji\u017e bude zaji\u0161\u0165ovat plnou redundanci v\u0161ech prvk\u016f. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

M\u00e1m managed server u konkurence, proto\u017ee tohle nenab\u00edz\u00edte, ale DDoS ochranu neum\u00ed tak jak bych si p\u0159edstavoval. Nepl\u00e1nujete DDoS ochranu jako slu\u017ebu? Kolik by to st\u00e1lo? <\/strong><\/h3>\n\n\n\n

Mysl\u00edte DDoS ochranu jako slu\u017ebu? To chceme za\u010d\u00edt nab\u00edzet jakmile budeme m\u00edt trasy 100 Gbps (n\u011bkdy na ja\u0159e).
Managed slu\u017eby budeme m\u00edt u VPS, respektive budeme m\u00edt kontajnerov\u00e9 \u0159e\u0161en\u00ed webhostingu a VPS. Intenzivn\u011b to p\u0159ipravujeme. Tam potom budou dal\u0161\u00ed mo\u017enosti DDoS ochrany. <\/p>\n\n\n\n

Spolupracujete v r\u00e1mci budov\u00e1n\u00ed DDoS ochrany s dal\u0161\u00edmi firmami? D\u011bl\u00edte se s n\u011bk\u00fdm o v\u00fdsledky? Mohlo by to pomoct<\/strong><\/h3>\n\n\n\n

Aktu\u00e1ln\u011b s nik\u00fdm nespolupracujeme. Zva\u017eovali jsme vstup do n\u011bjak\u00fdch projekt\u016f, ale vesm\u011bs to bylo tak, \u017ee na\u0161e data a informace by byly p\u0159\u00ednosn\u00e9 pro ostatn\u00ed, ale ostatn\u00ed n\u00e1m nenab\u00edzej\u00ed protihodnotu. Uvid\u00edme jak to bude do budoucna. Spolupr\u00e1ci se nebr\u00e1n\u00edme. <\/p>\n\n\n\n

Trochu z historie \u00fatok\u016f na WEDOS<\/h2>\n\n\n\n

Jak to za\u010dalo?<\/p>\n\n\n\n

https:\/\/datacentrum.wedos.com\/a\/353\/nas-nedogonjat-aneb-wedos-pod-ddos.html<\/a><\/p>\n\n\n\n

Jak to pokra\u010dovalo:<\/p>\n\n\n\n

https:\/\/datacentrum.wedos.com\/a\/351\/co-se-deje-v-siti-aneb-neco-malo-o-ddos-planovanych-upravach-site.html<\/a><\/p>\n\n\n\n

Prvn\u00ed rekordy<\/p>\n\n\n\n

https:\/\/datacentrum.wedos.com\/a\/360\/100-000-ddos-utoku-na-wedos-za-necelych-10-mesicu-nebo-50-000-za-7-mesicu.html<\/a><\/p>\n\n\n\n

IPv6<\/p>\n\n\n\n

https:\/\/datacentrum.wedos.com\/a\/366\/vyjadreni-k-problemu-s-konektivitou-u-vps-dne-12-08-2016.html<\/a><\/p>\n\n\n\n

Vylep\u0161ujeme:<\/p>\n\n\n\n

https:\/\/datacentrum.wedos.com\/a\/363\/nova-idsips-ochrana-u-wedos.html<\/a><\/p>\n\n\n\n

Dal\u0161\u00ed ot\u00e1zky k DDoS ochran\u011b?<\/h2>\n\n\n\n

Pokud m\u00e1te ot\u00e1zky, tak se nebojte n\u00e1m napsat na soci\u00e1ln\u00ed s\u00edt\u011b nebo do koment\u00e1\u0159\u016f pod \u010dl\u00e1nkem. N\u00e1sledn\u011b odpov\u00edme. Pokud m\u00e1te z\u00e1jem se pt\u00e1t na IDS\/IPS ochranu, tak samoz\u0159ejm\u011b m\u016f\u017eete. Jsou to mimo\u0159\u00e1dn\u011b zaj\u00edmav\u00e1 t\u00e9mata.<\/p>\n\n\n\n

Stav\u00edme pro v\u00e1s druh\u00e9 datacentrum<\/h2>\n\n\n\n

Na z\u00e1v\u011br dod\u00e1v\u00e1me, \u017ee intenzivn\u011b pracujeme na stavb\u011b druh\u00e9ho datacentra. Ji\u017e brzo bude v provozu. Informace najdete na http:\/\/dc.wedos.com\/<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

V dne\u0161n\u00edm \u010dl\u00e1nku nejen zodpov\u00edme va\u0161e ot\u00e1zky ohledn\u011b na\u0161\u00ed DDoS ochrany, ale tak\u00e9 se dozv\u00edte o n\u011bkolika pl\u00e1novan\u00fdch novink\u00e1ch. Na n\u011bkter\u00e9 ot\u00e1zky nelze odpov\u011bd\u011bt detailn\u011b, abychom moc neprozradili. D\u011bkujeme za pochopen\u00ed.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,16],"tags":[],"class_list":["post-39225","post","type-post","status-publish","format-standard","hentry","category-spolecnost","category-sluzby"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/39225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=39225"}],"version-history":[{"count":2,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/39225\/revisions"}],"predecessor-version":[{"id":40017,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/39225\/revisions\/40017"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=39225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=39225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=39225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}