如何启用DDoS保护? [英] How to enable DDoS protection?

问题描述

通常在服务器级别阻止DDoS(分布式拒绝服务攻击)吗?

DDoS (Distributed Denial of Service Attacks) are generally blocked on a server level right?

有没有办法在PHP级别上阻止它，或者至少减少它?

Is there a way to block it on a PHP level, or at least reduce it?

如果没有，阻止DDoS攻击的最快，最常见的方法是什么?

If not, what is the fastest and most common way to stop DDoS attacks?

推荐答案

DDOS是一系列攻击，它们淹没了数据中心的关键系统，包括:

DDOS is a family of attacks which overwhelm key systems in the datacenter including:

• 托管中心与互联网的网络连接
• 托管中心的内部网络和路由器
• 您的防火墙和负载平衡器
• 您的Web服务器，应用程序服务器和数据库.

在开始建立DDOS防御之前，请考虑一下最坏情况下的风险价值是什么.对于一个小型社区的非关键，免费使用的服务，总的风险价值可能是花生.对于已建立的数十亿美元业务的付费，面向公众的，关键任务系统，其价值可能就是公司的价值.在后一种情况下，您不应该使用StackExchange :)无论如何，要防御DDOS，您需要一种深度防御方法:

Before you start on building your DDOS defence, consider what the worst-case value-at-risk is. For a non-critical, free-to-use service for a small community, the total value at risk might be peanuts. For a paid-for, public-facing, mission-critical system for an established multi-billion dollar business, the value might be the worth of the company. In this latter case, you shouldn't be using StackExchange :) Anyway, to defend against DDOS, you need a defence in-depth approach:

1. 与您的托管中心合作以了解其提供的服务，包括其与Internet的网络连接处的IP和端口过滤以及其提供的防火墙服务.这很关键:托管公司将许多站点从Internet 中撤出，因为托管公司要处理DDOS对一个客户造成的整个数据中心范围的中断.另外，在DDOS攻击期间，您将与托管中心的工作人员非常紧密地合作，因此请了解他们的紧急电话号码并与他们保持良好的关系:)他们应该能够阻止整个国际区域，完全阻止特定的服务或网络协议和其他广谱防御措施，或者仅允许列入白名单的IP(取决于您的业务模型)
2. 在托管中心上时-使用 内容分发网络 在最终用户附近分发(主要是静态的)服务，并向DDOS架构师隐藏您的真实服务器.完整的CDN太大，以至于DDOS无法提取所有国家/地区的所有节点.如果DDOS集中在一个国家，则至少其他用户仍然可以.

3. 保持所有系统和软件包已更新了最新的安全补丁-我的意思是全部:

1. Work with your hosting center to understand the services they offer, including IP and port filtering at their network connections to the internet and firewall services they offer. This is critical: Many sites are pulled from the internet by the hosting company as the hosting company deals with the data center-wide disruption caused by the DDOS to one customer. Also, during an DDOS attack, you will be working very closely with the hosting center's staff, so know their emergency numbers and be on good terms with them :) They should be able to block of whole international regions, completely block specific services or network protocols and other broad-spectrum defensive measures, or alternatively allow only whitelisted IPs (depending on your business model)
2. While on the hosting center - use a Content Delivery Network to distribute (mainly static) services close to your end users and hide your real servers from the DDOS architects. The full CDN is too big for a DDOS to take out all nodes in all countries; if the DDOS is focused on one country, at least other users are still OK.

3. Keep all your systems and software packages updated with the latest security patches - and I mean all of them:

• 管理型交换机-是的，有时需要更新
• 路由器
• 防火墙
• 负载均衡器
• 操作系统
• Web服务器
• 语言及其库

确保您设置了好的防火墙或安全设备，并由合格的安全专家定期进行审核.防火墙上的严格规则可以很好地抵御许多简单的攻击.能够管理每个开放服务可用的带宽也很有用.

Ensure that you have a good firewall or security appliance set up and regularly reviewed by a qualified security expert. Strong rules on the firewall are a good defence against many simple attacks. It's also useful to be able to manage bandwidth available for each open service.

具有良好的 ="ahttp://en.wikipedia.org/wiki/Network_monitoring" rel ="noreferrer">网络监视工具 -这可以帮助您了解:

Have good network monitoring tools in place - this can help you understand:

• 您正在遭受攻击，而不仅仅是承受沉重的负担
• 攻击的来源(可能包括您通常不与之开展业务的国家)和
• 攻击实际上是什么(端口，服务，协议，IP和数据包内容)

攻击可能只是大量使用合法的网站服务(例如，击中运行查询的合法" URI或插入/更新/删除数据)-成千上万的请求来自数以万计的不同IP地址将使站点屈膝.另外，某些服务可能运行起来非常昂贵，以至于只有很少的请求会导致DOS-想想一个非常昂贵的报告.因此，您需要对正在发生的事情进行良好的应用程序级别监控:

The attack might simply be heavy use of legitimate web site services (eg hitting 'legal' URIs running queries or inserting/updating/deleting data) - thousands or millions of requests coming from tens to millions of different IP addresses will bring a site to its knees. Alternatively, some services might be so expensive to run that only a few requests cause a DOS - think a really expensive report. So you need good application level monitoring of what is going on:

• 已调用哪些服务以及发送了哪些参数/数据(即登录您的应用程序)
• 哪个用户正在执行调用以及从哪个IP(即登录您的应用程序)
• 查询和插入/更新/删除数据库正在执行的操作
• 系统中所有计算机(和VM)上的平均负载，CPU利用率，磁盘I/O，网络流量
• 确保所有这些信息都易于检索，并且您可以关联来自不同计算机和服务的日志(即，确保所有计算机都使用ntp进行时间同步).

应用程序中的合理约束和限制.例如，您可以:

• 使用负载平衡器中的QoS功能将所有匿名会话发送到群集中的单独应用程序服务器，而已登录用户则使用另一组.这样可以防止应用程序级匿名DDOS吸引有价值的客户
• 使用强大的CAPCHA保护匿名服务
• 会话超时
• 对某些类型的请求(例如报告)具有会话限制或速率限制.确保必要时可以关闭匿名访问
• 确保用户对并发会话数有限制(以防止被黑客入侵的帐户登录一百万次)
• 让不同的数据库应用程序用户使用不同的服务(例如，交易用途与报告用途)，并使用数据库资源管理来防止一种类型的Web请求压倒所有其他类型的应用程序
• 如果可能的话，使这些约束成为动态的，或者至少是可配置的.这样，当您受到攻击时，您可以设置积极的临时限制(限制"攻击)，例如每个用户只有一个会话，而不能进行匿名访问.对于您的客户来说，这当然不是很好，但是比根本没有服务要好得多.

最后但并非最不重要的一点是，编写一个 DOS响应计划文档，并由所有相关方进行内部审查:业务，管理，软件开发团队，IT团队和安全性专家.编写文档的过程将使您和您的团队仔细考虑问题，并帮助您准备好在一天假的凌晨3点发生最坏的情况.该文件应涵盖(除其他事项外):

Last, but not least, write a DOS Response Plan document and get this internally reviewed by all relevant parties: Business, Management, the SW dev team, the IT team and a security expert. The process of writing the document will cause you and your team to think through the issues and help you to be prepared if the worst should happen at 3am on your day off. The document should cover (among other things):

• 有什么风险以及业务成本
• 为保护资产而采取的措施
• 如何检测到攻击
• 计划的响应和升级程序
• 使系统和此文档保持最新状态的过程

所以，除了序言，这里是一些具体的答案:

So, preamble aside, here are some specific answers:

DDOS通常在服务器级别被阻止，对吧?

DDOS are generally blocked on a server level, right?

并非如此-大多数最严重的DDOS攻击都是低级(在IP数据包级别)，并由为处理DDOS攻击而开发的路由规则，防火墙和安全设备来处理.

Not really - most of the worst DDOS attacks are low-level (at the IP packet level) and are handled by routing rules, firewalls, and security devices developed to handle DDOS attacks.

有没有办法在PHP级别上阻止它，或者至少减少它?

Is there a way to block it on a PHP level, or at least reduce it?

某些DDOS攻击针对应用程序本身，发送有效的URI和HTTP请求.当请求率上升时，您的服务器开始出现问题，并且SLA将会中断.在这种情况下，您可以在PHP级别上做一些事情:

Some DDOS attacks are aimed at the application itself, sending valid URIs and HTTP requests. When the rate of requests goes up, your server(s) begin to struggle and you will have an SLA outage. In this case, there are things you can do at the PHP level:

• 应用程序级别监视:确保每个服务/页面都以某种方式记录请求，以查看发生的情况(以便您可以采取措施减轻攻击).一些想法:

• Application level monitoring: Ensure each service/page logs requests in a way that you can see what is going on (so you can take actions to mitigate the attack). Some ideas:

• 具有一种日志格式，您可以轻松地将其加载到日志工具(或Excel或类似工具)中，并使用命令行工具(grep，sed，awk)进行解析.请记住，DDOS将生成数百万行的日志.您可能需要对日志进行切片(尤其是关于URI，时间，IP和用户)，以弄清正在发生的事情，并且需要生成诸如以下内容的数据:

• Have a log format that you can easily load into a log tool (or Excel or similar), and parse with command-line tools (grep, sed, awk). Remember that a DDOS will generate millions of lines of log. You will likely need to slice'n'dice your logs (especially with respect to URI, time, IP and user) to work out what is going on, and need to generate data such as:

• 正在访问哪些URI
• 哪些URI失败率很高(可能是攻击者正在攻击的特定URI的指示)
• 哪些用户正在访问服务
• 每个用户从多少个IP访问服务
• 匿名用户访问哪些URI
• 给定服务使用了哪些参数
• 审核特定用户的操作

记录每个请求的IP地址.不要反向DNS-具有讽刺意味的是，这样做的成本使攻击者更容易使用DDOS

Log the IP address of each request. DON'T reverse DNS this - ironically the cost of doing this makes a DDOS easier for the attackers

合理的速率限制:您可以对给定IP或用户在给定时间段内可以发出的请求数量实施限制.合法客户每秒可以发出10个以上的请求吗?匿名用户可以访问所有昂贵的报告吗?

Sensible rate limits: You might implement limits on how many requests a given IP or User can make in a given time period. Could a legitimate customer make more than 10 requests per second? Can anonymous users access expensive reports at all?

用于匿名访问的CAPTCHA:对所有匿名请求实施CAPTCHA，以验证用户是个人，而不是DDOS机器人.

CAPTCHA for anonymous access: Implement a CAPTCHA for all anonymous requests to verify that the user is a person, not a DDOS bot.

阻止DDOS攻击的最快，最常见的方法是什么?

What's the fastest and most common way to stop DDOS attacks?

最快的可能是屈服于勒索，尽管这可能是不希望的.

The fastest is probably to give in to the blackmail, although this might not be desirable.

否则，您要做的第一件事就是联系您的托管和/或CDN提供商并与他们合作(如果他们还没有联系您，则已经在问这到底是怎么回事...).发生DDOS时，可能会附带影响托管提供商的其他客户，并且提供商可能会承受巨大的压力，仅出于保护他们的资源的目的而关闭您的站点.准备与提供者共享您的日志(任何和所有信息)；这些日志及其网络监视器可以共同提供足够的信息来阻止/缓解攻击.

Otherwise, the first thing you to do is contact your hosting and/or CDN provider and work with them (if they haven't contacted you already asking what the hell is going on...). When a DDOS occurs, it will likely collaterally affect other customers of the hosting provider, and the provider may be under considerable pressure to shut down your site simply to protect their resources. Be prepared to share your logs (any and all information) with the provider; these logs, combined with their network monitors, may together provide enough information to block/mitigate the attack.

如果您期望使用DDOS，最好使您的托管服务提供商有资格获得其可以提供的保护级别.他们应该具有DDOS经验和减轻它的工具-了解他们的工具，过程和升级程序.还询问主机提供商从其上游提供商那里获得什么支持.这些服务可能意味着更多的前期或每月费用，但请将其视为保险单.

If you are expecting a DDOS, it's a very good idea to qualify your hosting provider on the level of protection they can provide. They should have DDOS experience and tools to mitigate it - understand their tools, processes and escalation procedures. Also ask about what support the hosting provider has from their upstream providers. These services might mean more up-front or monthly cost, but treat this as an insurance policy.

在受到攻击的同时，您将需要获取日志并进行挖掘-尝试找出攻击的模式.您应该考虑关闭匿名访问并限制受到攻击的服务(即降低应用程序对服务的速率限制).

While under attack, you will need to grab your logs and mine them - try and work out the pattern of the attack. You should consider switching off anonymous access and throttling the services under attack (i.e. decrease the application's rate limit for the service).

如果幸运的话，您有一个固定的小型客户群，则可以确定有效的客户IP地址.如果是这种情况，您可能会在短时间内切换到白名单方法.确保所有客户都知道这种情况正在发生，以便他们在需要从新IP访问时可以拨打电话:)

If lucky and you have a small, fixed customer-base, you might be able to determine your valid customers IP addresses. If this is the case, you might switch to a white-list approach for a short while. Make sure all your customers know this is going on so they can call if they need to access from a new IP :)

道格·麦克林在以下位置提供了一些很好的建议:

Doug McClean has some great advice at: https://stackoverflow.com/a/1029613/1395668

这篇关于如何启用DDoS保护?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！