{"id":90264,"date":"2022-02-11T13:11:32","date_gmt":"2022-02-11T12:11:32","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=90264"},"modified":"2022-02-11T13:11:34","modified_gmt":"2022-02-11T12:11:34","slug":"dalsi-dve-ukazky-utoku-pres-aplikacni-vrstvu-na-nase-zakazniky","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/dalsi-dve-ukazky-utoku-pres-aplikacni-vrstvu-na-nase-zakazniky","title":{"rendered":"Dal\u0161\u00ed dv\u011b uk\u00e1zky \u00fatok\u016f p\u0159es aplika\u010dn\u00ed vrstvu na na\u0161e z\u00e1kazn\u00edky"},"content":{"rendered":"\n

Minul\u00fd m\u011bs\u00edc jsme v\u00e1m v \u010dl\u00e1nku Za\u010d\u00ednaj\u00ed se objevovat p\u0159\u00edpady vyd\u00edr\u00e1n\u00ed DDoS \u00fatoky na aplika\u010dn\u00ed vrstv\u011b<\/a> uk\u00e1zali, jak prob\u00edh\u00e1 vyd\u00edr\u00e1n\u00ed a n\u00e1sledn\u00fd DDoS \u00fatok na web z\u00e1kazn\u00edka. V\u00edme, \u017ee t\u011bchto p\u0159\u00edpad\u016f postupn\u011b p\u0159ib\u00fdv\u00e1, ale tempo nep\u0159\u00edjemn\u011b zrychluje. Z anal\u00fdz log\u016f nav\u00edc vid\u00edme, \u017ee se \u00fato\u010dn\u00edci sna\u017e\u00ed sv\u00e9 \u00fatoky l\u00e9pe maskovat, zkou\u0161\u00ed nov\u00e9 metody a hledaj\u00ed kde m\u00e1me limity ochran. <\/p>\n\n\n\n\n\n\n\n

Co je to \u00fatok na aplika\u010dn\u00ed vrstv\u011b<\/h2>\n\n\n\n

\u00datok na aplika\u010dn\u00ed vrstv\u011b (odborn\u011b Layer 7 attack) se sna\u017e\u00ed p\u0159et\u00ed\u017eit p\u0159\u00edmo va\u0161i webovou str\u00e1nku. Mohou to b\u00fdt prost\u00e9 dotazy o webovou str\u00e1nku skriptem, simulovan\u00e9 proch\u00e1zen\u00ed webu robotem anebo i na prvn\u00ed pohled legitimn\u00ed n\u00e1v\u0161t\u011bvnost, kdy v\u0161ak u\u017eivatel nem\u00e1 pon\u011bt\u00ed, \u017ee p\u0159et\u011b\u017euje n\u011b\u010d\u00ed str\u00e1nku, proto\u017ee p\u0159\u00edstup prob\u00edh\u00e1 p\u0159es d\u011bravou aplikaci anebo iframe. <\/p>\n\n\n\n

Pokud nem\u00e1te optimalizovan\u00fd web anebo m\u00e1te n\u011bkde n\u011bjakou zranitelnost v podob\u011b n\u00e1ro\u010dn\u00e9ho skriptu, tak pro \u00fasp\u011b\u0161n\u00fd \u00fatok ani nen\u00ed pot\u0159eba v\u00edce za\u0159\u00edzen\u00ed. Tedy jedn\u00e1 se o DoS \u00fatok (Denial of service – odep\u0159en\u00ed p\u0159\u00edstupu ke slu\u017eb\u011b). Nicm\u00e9n\u011b s t\u00edm co se pot\u00fdk\u00e1me jde u\u017e o koordinovan\u00fd \u00fatok v\u00edce za\u0159\u00edzen\u00ed, kter\u00e9 prov\u00e1d\u00ed \u00fatok spole\u010dn\u011b. Tyto \u00fatoky se ozna\u010duj\u00ed jako DDoS (Distributed denial of service – distribuovan\u00e9 odep\u0159en\u00ed slu\u017eby).<\/p>\n\n\n\n

Kdo prov\u00e1d\u00ed tyto \u00fatoky<\/h2>\n\n\n\n

Pokud je n\u011bjak\u00e9 za\u0159\u00edzen\u00ed (PC, mobil, server, router, chytr\u00e1 ledni\u010dka, IP kamery atd.) napaden\u00e9 a ovl\u00e1dne je \u00fato\u010dn\u00edk, tak je za\u0159ad\u00ed do takzvan\u00e9ho botnetu. \u00dato\u010dn\u00edk pak botnet ovl\u00e1d\u00e1 p\u0159es C&C servery (Command and Control – rozkazuj a ovl\u00e1dej). <\/p>\n\n\n\n

Sou\u010d\u00e1st\u00ed botnetu mohou b\u00fdt i napaden\u00e9 weby, kde je skryt\u00fd backdoor (zadn\u00ed vr\u00e1tka) a skript pro prov\u00e1d\u011bn\u00ed rozkaz\u016f, kter\u00e9 p\u0159ijdou z C&C serveru.<\/p>\n\n\n\n

Velk\u00e9 botnety (tis\u00edce a\u017e miliony za\u0159\u00edzen\u00ed) ovl\u00e1daj\u00ed organizovan\u00e9 skupiny, jejich\u017e c\u00edlem je vyd\u011bl\u00e1vat pen\u00edze. V\u011bt\u0161ina botnet\u016f tak prov\u00e1d\u00ed \u010dinnosti, kter\u00e9 jim vyd\u011bl\u00e1vaj\u00ed nejv\u00edce. V sou\u010dasn\u00e9 dob\u011b je to hlavn\u011b ransomware, phishing, kraden\u00ed citliv\u00fdch dat a z\u00edsk\u00e1v\u00e1n\u00ed dal\u0161\u00edch za\u0159\u00edzen\u00ed do botnetu. <\/p>\n\n\n\n

Botnet v\u011bt\u0161inou um\u00ed i r\u016fzn\u00e9 druhy DDoS \u00fatok\u016f. Pokud n\u011bkdo zaplat\u00ed, tak tyto \u00fatoky mohou prov\u00e9st.<\/p>\n\n\n\n

P\u0159\u00edpad #1 – c\u00edl eshop, v\u00fdpaln\u00e9 4500 USD<\/h2>\n\n\n\n

V lednu jsme se setkali s prvn\u00edm p\u0159\u00edpadem, kdy byl n\u00e1\u0161 z\u00e1kazn\u00edk vyd\u00edr\u00e1n DDoS \u00fatokem na aplika\u010dn\u00ed vrstv\u011b. Zaslal n\u00e1m i e-mail od vyd\u011bra\u010d\u016f, kde po n\u011bm cht\u011bli 3000 USD v bitcoin (najdete jej v p\u0159edchoz\u00edm \u010dl\u00e1nku<\/a>). Vzhledem k tomu, \u017ee \u010dasy sed\u011bly, tak p\u0159edpokl\u00e1d\u00e1me, \u017ee to opravdu bylo od \u00fato\u010dn\u00edku.<\/p>\n\n\n\n

Te\u010f byla situace podobn\u00e1. Vzorek e-mailu nem\u00e1me. Jen n\u00e1m z\u00e1kazn\u00edk napsal, \u017ee n\u011bkdo po n\u011bm chce 4500 USD v bitcoin. Dle anal\u00fdz provozu a hlavi\u010dek po\u017eadavk\u016f p\u0159edpokl\u00e1d\u00e1me, \u017ee se jednalo o stejn\u00e9ho \u00fato\u010dn\u00edka.<\/p>\n\n\n\n

Na rozd\u00edl od p\u0159edchoz\u00edho \u00fatoku, kter\u00fd byl velmi \u0161patn\u011b maskovan\u00fd a sta\u010dilo data vhodn\u00fdm zp\u016fsobem seskupit, abychom z\u00edskali p\u0159esn\u00e1 pravidla pro blokaci, tento byl u\u017e o trochu sofistikovan\u011bj\u0161\u00ed. <\/p>\n\n\n\n

Co bylo opravdu zaj\u00edmav\u00e9, \u017ee \u0161el po neexistuj\u00edc\u00edch str\u00e1nk\u00e1ch. V podstat\u011b ka\u017ed\u00fd p\u0159\u00edstup volal:<\/p>\n\n\n\n

dom\u00e9na.tld\/\u0159et\u011bzec<\/pre>\n\n\n\n
kde \u0159et\u011bzec byl slo\u017een z 12 alfanumerick\u00fdch znak\u016f. V logu pak p\u0159\u00edstupy od \u00fato\u010dn\u00edka vypadaly n\u00e1sledovn\u011b:<\/p>\n\n\n\n
\"\"<\/a>
\u00datoky na neexistuj\u00edc\u00ed str\u00e1nky. Snaha vyhnout se detekci anebo cachovan\u00e9mu obsahu.<\/figcaption><\/figure>\n\n\n\n
P\u0159i tomto \u00fatoku z\u00e1le\u017e\u00ed jak m\u00e1te nastaven\u00e9 odbavov\u00e1n\u00ed chyb 404, tedy neexistuj\u00edc\u00edch str\u00e1nek. Pokud to \u0159e\u0161\u00ed redak\u010dn\u00ed syst\u00e9m, tak v\u011bt\u0161inou nejsou takov\u00e9 po\u017eadavky cachovan\u00e9 a velice rychle m\u016f\u017ee doj\u00edt k p\u0159et\u00ed\u017een\u00ed. Ide\u00e1ln\u00ed je p\u0159esm\u011brov\u00e1n\u00ed p\u0159es .htacces na statickou HTML str\u00e1nku anebo vypad\u00e1n\u00ed chybov\u00e9 zpr\u00e1vy<\/a>. <\/p>\n\n\n\n
Vzhledem k tomu, \u017ee je to 1 p\u0159\u00edstup na 1 URL, tak se mohou takov\u00e9to \u00fatoky velice snadno ztratit v logu. Samoz\u0159ejm\u011b zapome\u0148te na to, \u017ee tyto p\u0159\u00edstupy uvid\u00edte ve statistik\u00e1ch n\u00e1v\u0161t\u011bvnosti, kter\u00e9 se vkl\u00e1daj\u00ed formou JavaScript (nap\u0159\u00edklad Google analytics). Ten m\u011b\u0159\u00ed skute\u010dn\u00e9 n\u00e1v\u0161t\u011bvn\u00edky, jejich\u017e prohl\u00ed\u017ee\u010d spust\u00ed JavaScript, ne roboty, kte\u0159\u00ed jen pos\u00edlaj\u00ed po\u017eadavky. <\/p>\n\n\n\n
Teoreticky se mohl tak\u00e9 \u00fato\u010dn\u00edk sna\u017eit p\u0159et\u00ed\u017eit ochranu. Vezm\u011bte si, \u017ee byste ke ka\u017ed\u00e9 URL museli vytvo\u0159it automaticky pravidlo, p\u0159\u00edpadn\u011b analyzovat velmi dlouh\u00fd log. <\/p>\n\n\n\n
Webserver to ud\u00fdchal, ale web z\u00e1kazn\u00edka u\u017e za\u010dal vracet chyby 503 (vy\u010derpan\u00e9 procesy) a str\u00e1nky se na\u010d\u00edtaly pomalu. Dal n\u00e1m v\u011bd\u011bt, a tak jsme jej rychle schovali za WEDOS Global Protection, kter\u00e1 je st\u00e1le ve v\u00fdvoji, ale u\u017e tyto \u00fatoky dok\u00e1\u017ee vy\u0159e\u0161it.<\/p>\n\n\n\n
\"\"<\/a>
V\u0161echny requesty na *.php str\u00e1nky webu z\u00e1kazn\u00edka. 5 minutov\u00fd graf.<\/figcaption><\/figure>\n\n\n\n
B\u011bhem chv\u00edle bylo po probl\u00e9mu. Kolegov\u00e9 s ochranou opravdu pokro\u010dili. Maj\u00ed u\u017e funk\u010dn\u00ed administraci, tak\u017ee v\u0161e je rychlej\u0161\u00ed, pohodln\u011bj\u0161\u00ed a p\u0159ehledn\u011bj\u0161\u00ed.<\/p>\n\n\n\n
\u00dato\u010dn\u00edk to zhruba 30 minut je\u0161t\u011b zkou\u0161el, ale kdy\u017e zjistil, \u017ee narazil, tak vyu\u017eil potenci\u00e1l sv\u00e9ho botnetu a poslal tam Layer 4 attack (p\u0159es transportn\u00ed vrstvu) v podob\u011b p\u00e1r stovek tis\u00edc SYN paket\u016f (SYN flood). To u\u017e odchytla DDoS ochrana. <\/p>\n\n\n\n
\"\"<\/a>
Po\u010det paket\u016f, kter\u00e9 jdou p\u0159es 3 trasy. (Ka\u017ed\u00e1 m\u00e1 kapacitu 100 Gbps).<\/figcaption><\/figure>\n\n\n\n
Tato \u010d\u00e1st \u00fatoku skon\u010dila zhruba za dv\u011b hodiny. Nebylo to nic extr\u00e9mn\u00edho. Chod\u00ed na n\u00e1s pravideln\u011b daleko siln\u011bj\u0161\u00ed \u00fatoky tohoto typu. Nav\u00edc s nimi m\u00e1me bohat\u00e9 zku\u0161enosti u\u017e od roku 2013.<\/p>\n\n\n\n
Na druhou stranu je t\u0159eba si uv\u011bdomit, proti komu vlastn\u011b stoj\u00edte. 500K SYN paket\u016f za vte\u0159inu je na \u010desk\u00e9 pom\u011bry celkem dost. Je to velmi z\u00e1ke\u0159n\u00fd \u00fatok, proti kter\u00e9mu pot\u0159ebujete specifickou ochranu. Ne ka\u017ed\u00fd m\u016f\u017ee investovat p\u0159es milion ro\u010dn\u011b do hardware, v\u00fdvoje a lid\u00ed, jen aby vylep\u0161oval ochranu proti DDoS \u00fatok\u016fm \ud83d\ude09<\/p>\n\n\n\n
P\u0159\u00edpad #2 – c\u00edl eshop, v\u00fdpaln\u00e9 nezn\u00e1m\u00e9<\/h2>\n\n\n\n
Tento \u00fatok prob\u011bhl za\u010d\u00e1tkem \u00fanora a p\u0159ekvapil n\u00e1s svou silou, kdy po\u010det zablokovan\u00fdch p\u0159\u00edstup\u016f p\u0159es\u00e1hl 168 tis\u00edc za minutu. <\/p>\n\n\n\n
C\u00edlem byl op\u011bt e-shop. \u00dato\u010dn\u00edk sm\u011b\u0159oval v\u0161echny p\u0159\u00edstupy na jeho hlavn\u00ed str\u00e1nku, kterou m\u011bl na\u0161t\u011bst\u00ed velmi dob\u0159e optimalizovanou a nacachovanou. <\/p>\n\n\n\n
\u00datok za\u010dal v 14:00 a jeho intenzita postupn\u011b rostla. Po 14:40 u\u017e byla tak velk\u00e1, \u017ee web se za\u010dal zpomalovat a postupn\u011b se objevovaly chyby 503. <\/p>\n\n\n\n
\"\"<\/a>
Na grafu vid\u00edte po\u010det request\u016f o .php str\u00e1nky a jak je webserver odbavoval. 5 minutov\u00fd graf.<\/figcaption><\/figure>\n\n\n\n
Z\u00e1kazn\u00edk n\u00e1m napsal, \u017ee m\u00e1 probl\u00e9m s webem. Technici u\u017e to n\u011bjakou dobu sledovali, ale pokud to neovliv\u0148uje ostatn\u00ed z\u00e1kazn\u00edky, tak nezasahuj\u00ed. Po domluv\u011b putoval za na\u0161\u00ed ochranu WEDOS Global Protection.<\/p>\n\n\n\n
Samoz\u0159ejm\u011b se webu okam\u017eit\u011b ulevilo. Zato \u00fato\u010dn\u00edk se rozhodl po\u0159\u00e1dn\u011b p\u0159itvrdit. Nakonec na minutov\u00e9m grafu z toho vyt\u00e1hl a\u017e 168.199 p\u0159\u00edstup\u016f. <\/p>\n\n\n\n
\"\"<\/a>
Statistika odbavov\u00e1n\u00ed po\u017eadavk\u016f na WEDOS Global Protection. Minutov\u00fd graf.<\/figcaption><\/figure>\n\n\n\n
Na grafu z ochran je tak\u00e9 vid\u011bt, jak zm\u011bnil taktiku. Pokusil se 3x prorazit pomoc\u00ed v\u011bt\u0161\u00edho po\u010dtu p\u0159\u00edstup\u016f v jeden okam\u017eik. <\/p>\n\n\n\n
Celkem trval \u00fatok na z\u00e1kazn\u00edka zhruba 2 hodiny. Z dat na webserveru (ne\u017e byla nasazena ochrana), m\u00e1me i \u00fadaje odkud \u0161ly \u00fatoky.  <\/p>\n\n\n\n
\"\"<\/a>
Tabulka odkud \u0161ly \u00fatoky za zhruba prvn\u00edch 60 minut.<\/figcaption><\/figure>\n\n\n\n
Jak vid\u00edte, hodn\u011b toho \u0161lo z Evropy a dokonce \u010cR je na 4. m\u00edst\u011b. N\u011bjak\u00e1 geoblokace, kdy od\u0159\u00edznete zahrani\u010d\u00ed by v tomto p\u0159\u00edpad\u011b nepomohla. <\/p>\n\n\n\n
Na provoz z \u010cR jsme se pak pod\u00edvali d\u016fkladn\u011b.<\/p>\n\n\n\n
\"\"<\/a>
IP adresy v \u010cR z kter\u00fdch \u0161ly \u00fatoky prvn\u00edch cca 60 minut.<\/figcaption><\/figure>\n\n\n\n
Tento \u00fatok byl specifick\u00fd t\u00edm, \u017ee \u00fato\u010dn\u00edk zneu\u017e\u00edval k \u00fatoku r\u016fzn\u00e9 slu\u017eby pro anonymn\u00ed proch\u00e1zen\u00ed webu (proxy servery, TOR). V podstat\u011b v\u0161echny 45.153.160.* jsou TOR exit nody. Ta IP adresa na prvn\u00edm m\u00edst\u011b se nach\u00e1z\u00ed na seznamech proxy server\u016f. Chod\u00ed z n\u00ed \u00fatoky opakovan\u011b a \u017e\u00e1dn\u00fd u\u017eite\u010dn\u00fd provoz. Skon\u010dila tak na permanentn\u00edm black listu. <\/p>\n\n\n\n
Kolik bylo v\u00fdkupn\u00e9 jsme se nedozv\u011bd\u011bli. Vyd\u011bra\u010dsk\u00fd e-mail z\u0159ejm\u011b spadl do spamu.<\/p>\n\n\n\n
Z\u00e1v\u011br<\/h2>\n\n\n\n
Sledujeme provoz a vylep\u0161ujeme na\u0161e ochrany. Ji\u017e brzy v\u00e1s nech\u00e1me nahl\u00e9dnout do budouc\u00ed z\u00e1kaznick\u00e9 administrace WEDOS Global Protection. Chceme slu\u017ebu ud\u011blat co mo\u017en\u00e1 nejednodu\u0161\u00ed pro pou\u017e\u00edv\u00e1n\u00ed, ale z\u00e1rove\u0148 d\u00e1t mo\u017enost volby co blokovat anebo povolit nav\u00edc a jak\u00fdm zp\u016fsobem. <\/p>\n\n\n\n
Mimochodem pokud byste se cht\u011bli pod\u00edlet i vy na v\u00fdvoji ochran (L3, L4 anebo L7), tak nab\u00edr\u00e1me lidi<\/a>. WEDOS Global protection bude sou\u010d\u00e1st\u00ed na\u0161\u00ed nov\u00e9 celosv\u011btov\u00e9 s\u00edt\u011b WEDOS Global. Tento rok m\u00e1me v pl\u00e1nu um\u00edstit do 25 lokalit p\u0159es 1000 fyzick\u00fdch server\u016f, kter\u00e9 n\u00e1m pomohou posunout na\u0161e ochrany na \u00fapln\u011b novou \u00farove\u0148. Hodilo by se n\u00e1m p\u00e1r lid\u00ed do t\u00fdmu. M\u00e1me otev\u0159en\u00fdch 8 pozic a na n\u011bkter\u00e9 hled\u00e1me v\u00edce lid\u00ed. N\u00e1\u0161 r\u016fst je aktu\u00e1ln\u011b omezen jen po\u010dtem lid\u00ed. <\/p>\n","protected":false},"excerpt":{"rendered":"
Minul\u00fd m\u011bs\u00edc jsme v\u00e1m v \u010dl\u00e1nku Za\u010d\u00ednaj\u00ed se objevovat p\u0159\u00edpady vyd\u00edr\u00e1n\u00ed DDoS \u00fatoky na aplika\u010dn\u00ed vrstv\u011b uk\u00e1zali, jak prob\u00edh\u00e1 vyd\u00edr\u00e1n\u00ed a n\u00e1sledn\u00fd DDoS \u00fatok na web z\u00e1kazn\u00edka. V\u00edme, \u017ee t\u011bchto p\u0159\u00edpad\u016f postupn\u011b p\u0159ib\u00fdv\u00e1, ale tempo nep\u0159\u00edjemn\u011b zrychluje. Z anal\u00fdz log\u016f nav\u00edc vid\u00edme, \u017ee se \u00fato\u010dn\u00edci sna\u017e\u00ed sv\u00e9 \u00fatoky l\u00e9pe maskovat, zkou\u0161\u00ed nov\u00e9 metody a hledaj\u00ed … <\/p>\n
Pokra\u010dovat ve \u010dten\u00ed „Dal\u0161\u00ed dv\u011b uk\u00e1zky \u00fatok\u016f p\u0159es aplika\u010dn\u00ed vrstvu na na\u0161e z\u00e1kazn\u00edky“<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":90288,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[112],"tags":[149,122,180,182],"class_list":["post-90264","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost","tag-botnet","tag-ddos","tag-kyberbezpecnost","tag-layer-7-attack"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/90264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=90264"}],"version-history":[{"count":10,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/90264\/revisions"}],"predecessor-version":[{"id":90694,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/90264\/revisions\/90694"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/90288"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=90264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=90264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=90264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}