{"id":650,"date":"2019-02-07T12:53:49","date_gmt":"2019-02-07T11:53:49","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=650"},"modified":"2019-04-29T22:54:41","modified_gmt":"2019-04-29T20:54:41","slug":"jak-jsme-se-vcera-zapotili-aneb-kdyz-po-dlouhe-dobe-nekdo-vymysli-zajimavy-ddos-utok","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/jak-jsme-se-vcera-zapotili-aneb-kdyz-po-dlouhe-dobe-nekdo-vymysli-zajimavy-ddos-utok","title":{"rendered":"Jak jsme se v\u010dera zapotili aneb kdy\u017e po dlouh\u00e9 dob\u011b n\u011bkdo vymysl\u00ed zaj\u00edmav\u00fd DDoS \u00fatok"},"content":{"rendered":"\n

V\u010dera ve ve\u010dern\u00edch hodin\u00e1ch se po del\u0161\u00ed dob\u011b objevil DDoS \u00fatok, kter\u00fd na na\u0161\u00ed intern\u00ed spole\u010dnou komunikaci p\u0159it\u00e1hl v\u0161echny. \u010c\u00e1st \u0159e\u0161ila probl\u00e9m, dal\u0161\u00ed pr\u016fb\u011b\u017en\u011b sledovali, jak se situace vyv\u00edj\u00ed, aby v\u011bd\u011bli, co ps\u00e1t z\u00e1kazn\u00edk\u016fm…<\/em><\/p>\n\n\n\n\n\n\n\n

Tento druh \u00fatoku nebyl zas a\u017e tak nov\u00fd. V posledn\u00edch dnech jsme jej \u0159e\u0161ili v men\u0161\u00edm m\u011b\u0159\u00edtku. Ned\u011blal p\u0159\u00edli\u0161 velk\u00e9 trable, proto\u017ee nezp\u016fsoboval del\u0161\u00ed v\u00fdpadky slu\u017eeb, ale jen chvilkou \u010d\u00e1ste\u010dnou nedostupnost a to je\u0161t\u011b v zanedbateln\u00e9 m\u00ed\u0159e.

Jednalo se o velice specifick\u00fd ACK flood \u00fatok, kter\u00fd se pou\u017e\u00edv\u00e1 k p\u0159et\u00ed\u017een\u00ed webserveru c\u00edle. Obecn\u011b ACK (p\u0159\u00edpadn\u011b dal\u0161\u00ed podobn\u00e9 typy SYN+ACK) \u00fatok prob\u00edh\u00e1 tak, \u017ee \u00fato\u010dn\u00edk po\u0161le podvr\u017een\u00e9 pakety na velmi velk\u00e9 mno\u017estv\u00ed server\u016f, kter\u00e9 pak po\u0161lou odpov\u011b\u010f na c\u00edl \u00fatoku. C\u00edl pak mus\u00ed \u0159e\u0161it velk\u00e9 mno\u017estv\u00ed paket\u016f z r\u016fzn\u00fdch IP adres, a\u017e dojde k vy\u010derp\u00e1n\u00ed m\u00edsta v r\u016fzn\u00fdch tabulk\u00e1ch, co\u017e znamen\u00e1 v\u011bt\u0161inou nedostupnost slu\u017eby.<\/p>\n\n\n\n

V na\u0161em p\u0159\u00edpad\u011b to bylo trochu jin\u00e9. Velk\u00fd \u00fatok za\u010dal kolem dev\u00e1t\u00e9 hodiny ve\u010der, kdy u \u010d\u00e1sti webhosting\u016f doch\u00e1zelo k 22% ztr\u00e1t\u011b paket\u016f. Bylo to n\u00e1razov\u00e9. P\u00e1r sekund probl\u00e9m a potom des\u00edtky sekund klid. Ze za\u010d\u00e1tku to vypadalo na probl\u00e9m u proxy server\u016f, kter\u00e9 nezvl\u00e1daly n\u00e1por. Co\u017e se st\u00e1t nem\u016f\u017ee. Ka\u017ed\u00fd proxy server u webhostingu je nastaven tak, \u017ee v p\u0159\u00edpad\u011b nefunk\u010dnosti se restartuje a jeho roli p\u0159eberou dal\u0161\u00ed. Nav\u00edc pokud by proxy servery nest\u00edhaly, tak se vytvo\u0159\u00ed a spust\u00ed dal\u0161\u00ed. V tom je kr\u00e1sa WEDOS Cloudu<\/a> \ud83d\ude42 Prost\u011b neomezen\u00e9 \u0161k\u00e1lov\u00e1n\u00ed infrastruktury podle pot\u0159eby.<\/p>\n\n\n\n

Po p\u00e1r minut\u00e1ch u\u017e technici hledali skryt\u00fd \u00fatok, aby mohli upravit filtry. Co\u017e nen\u00ed jednoduch\u00e9, proto\u017ee na n\u00e1s anebo na\u0161e z\u00e1kazn\u00edky \u00fato\u010d\u00ed n\u011bkdo po\u0159\u00e1d. M\u00e1me tu \u00fatoky, kter\u00e9 trvaj\u00ed i des\u00edtky dn\u016f. <\/p>\n\n\n\n

Kdy\u017e bylo vid\u011bt, \u017ee to jen tak lehce nep\u016fjde, zapnuli jsme zp\u0159\u00edsn\u011bn\u00fd re\u017eim. To zahrnuje nap\u0159\u00edklad blokaci ICMP paket\u016f, co\u017e je nap\u0159\u00edklad PING a d\u00e1le t\u0159eba blokov\u00e1n\u00ed p\u0159\u00edstupu z ur\u010dit\u00fdch zem\u00edch (\u010c\u00edna, Rusko, Ji\u017en\u00ed Amerika atd.) Tohle do\u010dasn\u00e9 opat\u0159en\u00ed minimalizovalo dopad \u00fatoku, ov\u0161em z\u00e1kazn\u00edci, kte\u0159\u00ed maj\u00ed m\u011b\u0159en\u00ed dostupnosti p\u0159es PING anebo z jedn\u00e9 z blokovan\u00fdch zem\u00ed dostali varov\u00e1n\u00ed o nedostupnosti, i kdy\u017e jejich slu\u017eba fungovala norm\u00e1ln\u011b a nijak se jich to net\u00fdkalo. <\/p>\n\n\n\n

Mezit\u00edm na\u0161i odborn\u00edci na bezpe\u010dnost analyzovali \u00fatok. Nap\u0159\u00edklad zjistili, \u017ee 627 paket\u016f z 1000 m\u00e1 nulovou d\u00e9lku, co\u017e jasn\u011b uk\u00e1zalo na ACK mal\u00e9 \u00fatoky z posledn\u00edch dn\u016f jen ve velk\u00e9m. Ov\u0161em velice chyt\u0159e. Aby se \u00fato\u010dn\u00edk vyhnul detekci, tak pos\u00edlal pakety n\u00e1razov\u011b a plo\u0161n\u011b na v\u0161echny servery. Chv\u00edli \u0161lo na c\u00edl p\u00e1r set paket\u016f a pak nar\u00e1z t\u0159eba 15 tis\u00edc za vte\u0159inu a hned konec. <\/p>\n\n\n\n

\"\"
Uk\u00e1zka TCP-ACK \u00fatoku<\/figcaption><\/figure><\/div>\n\n\n\n

N\u00e1sledovala \u00faprava pravidel u DDoS ochrany tak, aby byla citliv\u011bj\u0161\u00ed a z\u00e1rove\u0148 zv\u00fd\u0161en\u00ed po\u010dtu proxy server\u016f, aby si p\u0159\u00edpadnou n\u00e1razovou z\u00e1t\u011b\u017e mezi sebou rozlo\u017eily. Jednodu\u0161e jsme p\u0159idali dal\u0161\u00ed proxy servery a \u00fatoku jsme sn\u00e1ze odolali a byl klid.<\/p>\n\n\n\n

D\u00e1le to asi nen\u00ed zaj\u00edmav\u00e9. \u00datok se opakoval je\u0161t\u011b kolem jeden\u00e1ct\u00e9 ve\u010der a jedn\u00e9 v noci.
<\/p>\n\n\n

N\u011bco ze z\u00e1kulis\u00ed na\u0161\u00ed ochrany<\/h3>\n

V na\u0161\u00ed s\u00ed\u0165ov\u00e9 infrastruktu\u0159e m\u00e1me hned n\u011bkolik prvk\u016f, kter\u00e9 vyu\u017e\u00edv\u00e1me pro detekci a eliminaci DDoS \u00fatok\u016f. Na\u0161im c\u00edlem je ochr\u00e1nit nejen na\u0161i s\u00ed\u0165ovou infrastrukturu, ale i va\u0161e slu\u017eby.<\/p>\n

V prvn\u00ed linii jsou „hrub\u00e9 filtry“, jedn\u00e1 se o v\u00fdkonn\u00e9 servery (a osazen\u00e9 mnoha 10GE kartami), kter\u00e9 jen filtruj\u00ed vybran\u00fd (napaden\u00fd) provoz. Nic dal\u0161\u00edho nemaj\u00ed za \u00fakol. Jsou tam nap\u0159\u00edklad \u00fapln\u011b „oby\u010dejn\u00e9“ blacklisty. Prost\u011b jakmile je IP adresa na blacklistu, tak v\u0161echen provoz z n\u00ed se zahazuje. IP adresy se na blacklist dostanou r\u016fzn\u011b. Maj\u00ed nap\u0159\u00edklad \u0161patnou reputaci anebo jsou tam p\u0159id\u00e1ny na z\u00e1klad\u011b aktu\u00e1ln\u00edch \u00fatok\u016f nebo jde o IP adresy, kter\u00e9 z\u00edsk\u00e1v\u00e1me z r\u016fzn\u00fdch blacklist\u016f (v\u010detn\u011b placen\u00fdch). „Hrub\u00fd filtr“ m\u00e1 na starosti tak\u00e9 filtrov\u00e1n\u00ed zem\u00ed  a kontinent\u016f v p\u0159\u00edpad\u011b masivn\u00edch \u00fatok\u016f. Z\u00e1rove\u0148 tam jsou dal\u0161\u00ed prvky ochrany jako nap\u0159\u00edklad r\u016fzn\u00e9 filtrace pomoc\u00ed synproxy.<\/p>\n

Dal\u0161\u00ed z \u010d\u00e1st ochrany, kterou vyu\u017e\u00edv\u00e1me, je zam\u011b\u0159en\u00e1 \u010dist\u011b proti DDoS \u00fatok\u016fm. Pom\u011brn\u011b slo\u017eit\u00fd syst\u00e9m vyu\u017e\u00edv\u00e1 n\u011bkolik sond, co\u017e jsou velmi v\u00fdkonn\u00e9 servery, um\u00edst\u011bn\u00e9 v s\u00edti na r\u016fzn\u00fdch m\u00edstech. Na t\u011bchto sond\u00e1ch prob\u00edh\u00e1 monitoring provozu a jeho n\u00e1sledn\u00e9 vyhodnocov\u00e1n\u00ed. Sondy jsou jak na vstupu do na\u0161\u00ed s\u00edt\u011b, tak i uvnit\u0159 na\u0161\u00ed s\u00edt\u011b a vlastn\u00ed sondu m\u00e1 ka\u017ed\u00fd filtr (jak na vstupu, tak na v\u00fdstupu). Tak\u017ee m\u00e1me detailn\u00ed p\u0159ehled o provozu v cel\u00e9 s\u00edti.<\/p>\n

Pokud sondy dle nastaven\u00fdch parametr\u016f detekuj\u00ed \u00fatok, za\u0161lou tuto informaci centr\u00e1ln\u00edmu syst\u00e9mu, kter\u00fd provede nadefinovan\u00e1 opat\u0159en\u00ed zcela automaticky. Nej\u010dast\u011bji se podez\u0159el\u00fd datov\u00fd tok p\u0159esm\u011bruje na tzv. v\u00fdhybku. Detekce to zjist\u00ed maxim\u00e1ln\u011b do sekundy a prakticky okam\u017eit\u011b je provoz p\u0159esm\u011brov\u00e1n. <\/p>\n

Napaden\u00e1 data tak „nete\u010dou“ p\u0159\u00edmo na server, kter\u00fd je c\u00edlem \u00fatoku (a do zbytku na\u0161\u00ed s\u00edt\u011b), ale jsou sm\u011brov\u00e1na p\u0159es speci\u00e1ln\u00ed filtry. Filtry jsou velice v\u00fdkonn\u00e9 servery s vysok\u00fdm v\u00fdpo\u010detn\u00edm v\u00fdkonem. Jejich \u00fakolem je d\u016fkladn\u011bj\u0161\u00ed zkoum\u00e1n\u00ed provozu a jeho n\u00e1sledn\u00e1 filtrace. V\u0161e je pln\u011b automatick\u00e9. <\/p>\n

Filtry v\u0161ak pln\u00ed daleko v\u00edce \u00fakon\u016f, aby zamezily p\u0159et\u011b\u017eov\u00e1n\u00ed na\u0161\u00ed infrastruktury. Mohou nap\u0159\u00edklad blokovat podez\u0159el\u00fd s\u00ed\u0165ov\u00fd provoz podle zem\u00ed p\u016fvodu IP adresy, filtrovat TCP-SYN \u00fatoky a spousty dal\u0161\u00edch v\u011bc\u00ed. B\u011b\u017en\u011b tyto filtry pracuj\u00ed a\u017e s n\u011bkolika tis\u00edci pravidly.<\/p>\n

Rovn\u011b\u017e p\u0159i provozu p\u0159es tuto v\u00fdhybku m\u016f\u017eeme nastavit omezen\u00ed ICMP protokolu (vyu\u017e\u00edv\u00e1 ping). PING se velmi \u010dasto pou\u017e\u00edv\u00e1 k m\u011b\u0159en\u00ed dostupnosti serveru. N\u011bkte\u0159\u00ed z\u00e1kazn\u00edci jej v\u0161ak nevhodn\u011b pou\u017e\u00edvaj\u00ed k m\u011b\u0159en\u00ed dostupnosti webu.  Pokud je toti\u017e  proti n\u00e1m veden\u00fd siln\u00fd \u00fatok a provoz te\u010de p\u0159es v\u00fdhybku, kde je zak\u00e1zan\u00fd ICMP (PING), tak monitoring za\u010dne hl\u00e1sit v\u00fdpadek. P\u0159itom web d\u00e1le funguje.<\/p>\n

Nejen proto je pro monitoring lep\u0161\u00ed vyu\u017e\u00edvat HTTP(S) po\u017eadavky zaslan\u00e9 na web a kontrolovat n\u00e1vratov\u00fd k\u00f3d. M\u016f\u017ee se st\u00e1t spousta v\u011bc\u00ed, kdy PING bude hl\u00e1sit dostupnost ale web nebude fungovat (nepoveden\u00e1 automatick\u00e1 aktualizace, napaden\u00ed webu a jeho  p\u0159esm\u011brov\u00e1n\u00ed, p\u0159et\u00ed\u017een\u00ed, vypnut\u00ed atd.).<\/p>\n

P\u0159ed webov\u00fdmi servery m\u00e1me je\u0161t\u011b dal\u0161\u00ed ochranu. Online filtraci, kter\u00e1 m\u00e1 r\u016fzn\u00e9 funkce a potom IDS\/IPS ochranu. <\/p>\n

Sou\u010d\u00e1st\u00ed na\u0161\u00ed komplexn\u00ed ochrany je tedy i IDS\/IPS (syst\u00e9m detekce a prevence), kter\u00fd je um\u00edst\u011bn p\u0159ed webhostingov\u00e9 servery. Ten monitoruje i obsah a zp\u016fsob komunikace, kter\u00fd pak porovn\u00e1v\u00e1 s datab\u00e1zemi nej\u010dast\u011bj\u0161\u00edch hrozeb. Nap\u0159\u00edklad pokud se n\u011bkdo pokus\u00ed zneu\u017e\u00edt d\u00edru ve va\u0161em redak\u010dn\u00edm syst\u00e9mu a tuto d\u00edru n\u00e1\u0161 IPS\/IDS syst\u00e9m zn\u00e1, tak jej zablokuje. Aktu\u00e1ln\u011b tato ochrana je u v\u0161ech webhosting\u016f. Funguje pouze na http provozu. P\u0159ipravujeme zm\u011bnu, aby byla funk\u010dn\u00ed i na https. Jen pro zaj\u00edmavost dod\u00e1v\u00e1me, \u017ee pr\u016fm\u011brn\u011b zahod\u00edme  p\u0159es 40% provozu, kter\u00fd sm\u011b\u0159uje na webov\u00e9 servery. Nikomu nechyb\u00ed. Je to nap\u0159\u00edklad skenov\u00e1n\u00ed anebo r\u016fzn\u00ed roboti  a \u00fatoky. <\/p>\n

D\u00e1le pou\u017e\u00edv\u00e1me i takzvan\u00fd  ratelimitter, kter\u00fd omezuje po\u010det spojen\u00ed na server, na konkr\u00e9tn\u00ed webhosting a IP adresy n\u00e1v\u0161t\u011bvn\u00edka za ur\u010dit\u00fd \u010dasov\u00fd \u00fasek. Takto nem\u00e1me probl\u00e9m zablokovat z\u00e1vadnou komunikaci p\u0159i zachov\u00e1n\u00ed dostupnosti pro zb\u00fdvaj\u00edc\u00ed n\u00e1v\u0161t\u011bvn\u00edky va\u0161eho webu.<\/p>\n

Cel\u00e1 na\u0161e ochrana je pom\u011brn\u011b slo\u017eit\u00e1, ale v\u00edce \u010di m\u00e9n\u011b automatick\u00e1. Provozujeme ji ve v\u00fdsledku na v\u00edce ne\u017e 20 serverech. V p\u0159\u00edpad\u011b pot\u0159eby m\u016f\u017eeme p\u0159idat kdykoliv dal\u0161\u00ed a nav\u00fd\u0161it tak kapacitu pro filtrace.<\/p>","protected":false},"excerpt":{"rendered":"

V\u010dera ve ve\u010dern\u00edch hodin\u00e1ch se po del\u0161\u00ed dob\u011b objevil DDoS \u00fatok, kter\u00fd na na\u0161\u00ed intern\u00ed spole\u010dnou komunikaci p\u0159it\u00e1hl v\u0161echny. \u010c\u00e1st \u0159e\u0161ila probl\u00e9m, dal\u0161\u00ed pr\u016fb\u011b\u017en\u011b sledovali, jak se situace vyv\u00edj\u00ed, aby v\u011bd\u011bli, co ps\u00e1t z\u00e1kazn\u00edk\u016fm…<\/p>\n","protected":false},"author":9,"featured_media":664,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[43,44],"class_list":["post-650","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-ddos-ochrana","tag-ips-idsc-ochrana"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/650","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=650"}],"version-history":[{"count":9,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/650\/revisions"}],"predecessor-version":[{"id":665,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/650\/revisions\/665"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/664"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}