如何启用 DDoS 保护? [英] How to enable DDoS protection?
问题描述
DDoS(分布式拒绝服务攻击)通常在服务器级别被阻止,对吗?
DDoS (Distributed Denial of Service Attacks) are generally blocked on a server level right?
有没有办法在 PHP 级别阻止它,或者至少减少它?
Is there a way to block it on a PHP level, or at least reduce it?
如果没有,阻止 DDoS 攻击的最快和最常见的方法是什么?
If not, what is the fastest and most common way to stop DDoS attacks?
推荐答案
DDOS 是一系列攻击数据中心的关键系统,包括:
DDOS is a family of attacks which overwhelm key systems in the datacenter including:
- 托管中心与互联网的网络连接
- 托管中心的内部网络和路由器
- 您的防火墙和负载平衡器
- 您的网络服务器、应用服务器和数据库.
在开始构建 DDOS 防御之前,请考虑最坏的风险价值是什么.对于小型社区的非关键、免费使用的服务,风险的总价值可能是花生.对于已建立的数十亿美元业务的付费、面向公众的关键任务系统,其价值可能就是公司的价值.在后一种情况下,您不应该使用 StackExchange :) 无论如何,要防御 DDOS,您需要一种深度防御方法:
Before you start on building your DDOS defence, consider what the worst-case value-at-risk is. For a non-critical, free-to-use service for a small community, the total value at risk might be peanuts. For a paid-for, public-facing, mission-critical system for an established multi-billion dollar business, the value might be the worth of the company. In this latter case, you shouldn't be using StackExchange :) Anyway, to defend against DDOS, you need a defence in-depth approach:
- 与您的托管中心合作,了解他们提供的服务,包括他们提供的互联网连接的 IP 和端口过滤以及他们提供的防火墙服务.这很关键:托管公司将许多站点从 Internet 上撤下,因为托管公司要处理由 DDOS 对一个客户造成的数据中心范围的中断.此外,在 DDOS 攻击期间,您将与托管中心的工作人员密切合作,因此了解他们的紧急电话号码并与他们保持良好关系:) 他们应该能够阻止整个国际区域,完全阻止特定服务或网络协议和其他广谱防御措施,或者仅允许列入白名单的 IP(取决于您的业务模式)
- 在托管中心时 - 使用内容交付网络将(主要是静态的)服务分发到您的最终用户附近,并向 DDOS 架构师隐藏您的真实服务器.完整的 CDN 太大,DDOS 无法删除所有国家/地区的所有节点;如果 DDOS 集中在一个国家,至少其他用户还可以.
让您的所有系统和软件包更新最新的安全补丁 - 我的意思是所有这些:
- Work with your hosting center to understand the services they offer, including IP and port filtering at their network connections to the internet and firewall services they offer. This is critical: Many sites are pulled from the internet by the hosting company as the hosting company deals with the data center-wide disruption caused by the DDOS to one customer. Also, during an DDOS attack, you will be working very closely with the hosting center's staff, so know their emergency numbers and be on good terms with them :) They should be able to block of whole international regions, completely block specific services or network protocols and other broad-spectrum defensive measures, or alternatively allow only whitelisted IPs (depending on your business model)
- While on the hosting center - use a Content Delivery Network to distribute (mainly static) services close to your end users and hide your real servers from the DDOS architects. The full CDN is too big for a DDOS to take out all nodes in all countries; if the DDOS is focused on one country, at least other users are still OK.
Keep all your systems and software packages updated with the latest security patches - and I mean all of them:
- 托管开关 - 是的,这些有时需要更新
- 路由器
- 防火墙
- 负载均衡器
- 操作系统
- 网络服务器
- 语言及其库
确保您有良好的防火墙或安全设备设置并由合格的安全专家定期审查.防火墙上的强规则可以很好地防御许多简单的攻击.能够管理每个开放服务的可用带宽也很有用.
Ensure that you have a good firewall or security appliance set up and regularly reviewed by a qualified security expert. Strong rules on the firewall are a good defence against many simple attacks. It's also useful to be able to manage bandwidth available for each open service.
拥有良好的网络监控工具 -这可以帮助您理解:
Have good network monitoring tools in place - this can help you understand:
- 您正受到攻击,而不仅仅是承受沉重的负担
- 攻击来自何处(可能包括您通常不与之开展业务的国家/地区)和
- 实际攻击是什么(端口、服务、协议、IP 和数据包内容)
攻击可能只是大量使用合法的网站服务(例如点击运行查询或插入/更新/删除数据的合法"URI)——来自数千万到数百万个不同 IP 地址的数千或数百万个请求将使一个网站屈服.或者,某些服务的运行成本可能非常高,以至于只有少数请求会导致 DOS - 想想一个非常昂贵的报告.因此,您需要对正在发生的事情进行良好的应用级监控:
The attack might simply be heavy use of legitimate web site services (eg hitting 'legal' URIs running queries or inserting/updating/deleting data) - thousands or millions of requests coming from tens to millions of different IP addresses will bring a site to its knees. Alternatively, some services might be so expensive to run that only a few requests cause a DOS - think a really expensive report. So you need good application level monitoring of what is going on:
- 调用了哪些服务以及发送了哪些参数/数据(即登录您的应用程序)
- 哪些用户正在执行调用以及来自哪些 IP(即登录您的应用程序)
- 数据库正在执行哪些查询和插入/更新/删除操作
- 系统中所有计算机(和虚拟机)上的平均负载、CPU 利用率、磁盘 I/O、网络流量
- 确保所有这些信息都可以轻松检索,并且您可以关联来自不同计算机和服务的日志(即确保所有计算机都使用 ntp 进行时间同步).
应用程序中的合理约束和限制.例如,您可以:
- 使用负载平衡器中的 QoS 功能将所有匿名会话发送到集群中单独的应用程序服务器,而登录用户使用另一组.这可以防止应用程序级别的匿名 DDOS 带走有价值的客户
- 使用强大的 CAPCHA 保护匿名服务
- 会话超时
- 对某些类型的请求(如报告)设置会话限制或速率限制.确保您可以在必要时关闭匿名访问
- 确保用户对并发会话数有限制(以防止被黑帐户登录一百万次)
- 为不同的服务(例如事务使用与报告使用)设置不同的数据库应用程序用户,并使用数据库资源管理来防止一种网络请求压倒所有其他请求
- 如果可能,使这些约束成为动态的,或者至少是可配置的.这样,当您受到攻击时,您可以设置激进的临时限制(限制"攻击),例如每个用户只有一个会话,并且没有匿名访问.这对您的客户来说当然不是很好,但比根本没有服务要好得多.
最后但并非最不重要的是,编写一份 DOS 响应计划文档,并让所有相关方进行内部审查:业务、管理、软件开发团队、IT 团队和安全部门专家.编写文档的过程将使您和您的团队仔细考虑问题,并帮助您做好准备,以防最坏的情况发生在您休息日的凌晨 3 点.该文件应涵盖(除其他外):
Last, but not least, write a DOS Response Plan document and get this internally reviewed by all relevant parties: Business, Management, the SW dev team, the IT team and a security expert. The process of writing the document will cause you and your team to think through the issues and help you to be prepared if the worst should happen at 3am on your day off. The document should cover (among other things):
- 面临风险的内容以及业务成本
- 为保护资产而采取的措施
- 如何检测攻击
- 计划的响应和升级程序
- 使系统和本文档保持最新的流程
所以,除了序言,这里有一些具体的答案:
So, preamble aside, here are some specific answers:
DDOS 通常在服务器级别被阻止,对吗?
DDOS are generally blocked on a server level, right?
并非如此 - 大多数最严重的 DDOS 攻击都是低级别的(在 IP 数据包级别),并由为处理 DDOS 攻击而开发的路由规则、防火墙和安全设备处理.
Not really - most of the worst DDOS attacks are low-level (at the IP packet level) and are handled by routing rules, firewalls, and security devices developed to handle DDOS attacks.
有没有办法在 PHP 级别阻止它,或者至少减少它?
Is there a way to block it on a PHP level, or at least reduce it?
某些 DDOS 攻击针对应用程序本身,发送有效的 URI 和 HTTP 请求.当请求率上升时,您的服务器开始出现问题,您将遇到 SLA 中断.在这种情况下,您可以在 PHP 级别执行以下操作:
Some DDOS attacks are aimed at the application itself, sending valid URIs and HTTP requests. When the rate of requests goes up, your server(s) begin to struggle and you will have an SLA outage. In this case, there are things you can do at the PHP level:
应用程序级监控:确保每个服务/页面以一种您可以看到正在发生的事情的方式记录请求(以便您可以采取措施减轻攻击).一些想法:
Application level monitoring: Ensure each service/page logs requests in a way that you can see what is going on (so you can take actions to mitigate the attack). Some ideas:
有一个日志格式,您可以轻松加载到日志工具(或 Excel 或类似工具)中,并使用命令行工具(grep、sed、awk)进行解析.请记住,DDOS 将生成数百万行日志.您可能需要对日志进行切片(尤其是在 URI、时间、IP 和用户方面)以了解正在发生的事情,并且需要生成如下数据:
Have a log format that you can easily load into a log tool (or Excel or similar), and parse with command-line tools (grep, sed, awk). Remember that a DDOS will generate millions of lines of log. You will likely need to slice'n'dice your logs (especially with respect to URI, time, IP and user) to work out what is going on, and need to generate data such as:
- 正在访问哪些 URI
- 哪些 URI 失败率很高(攻击者正在攻击的特定 URI 的可能指标)
- 哪些用户正在访问该服务
- 每个用户从多少个 IP 访问服务
- 匿名用户访问哪些 URI
- 给定服务使用了哪些参数
- 审核特定用户的操作
记录每个请求的 IP 地址.不要反向 DNS - 具有讽刺意味的是,这样做的成本使攻击者更容易进行 DDOS
Log the IP address of each request. DON'T reverse DNS this - ironically the cost of doing this makes a DDOS easier for the attackers
合理的速率限制:您可以对给定 IP 或用户在给定时间段内可以发出的请求数量实施限制.合法客户每秒可以发出 10 个以上的请求吗?匿名用户能否访问昂贵的报告?
Sensible rate limits: You might implement limits on how many requests a given IP or User can make in a given time period. Could a legitimate customer make more than 10 requests per second? Can anonymous users access expensive reports at all?
用于匿名访问的 CAPTCHA:为所有匿名请求实施 CAPTCHA,以验证用户是个人,而不是 DDOS 机器人.
CAPTCHA for anonymous access: Implement a CAPTCHA for all anonymous requests to verify that the user is a person, not a DDOS bot.
阻止 DDOS 攻击的最快和最常见的方法是什么?
What's the fastest and most common way to stop DDOS attacks?
最快的方法可能是屈服于勒索,尽管这可能并不可取.
The fastest is probably to give in to the blackmail, although this might not be desirable.
否则,您要做的第一件事就是联系您的托管和/或 CDN 提供商并与他们合作(如果他们还没有联系您,您已经询问到底发生了什么......).当 DDOS 发生时,它可能会附带影响托管服务提供商的其他客户,并且提供商可能会承受相当大的压力,只是为了保护他们的资源而关闭您的站点.准备好与提供商共享您的日志(任何和所有信息);这些日志与其网络监视器相结合,可以提供足够的信息来阻止/减轻攻击.
Otherwise, the first thing you to do is contact your hosting and/or CDN provider and work with them (if they haven't contacted you already asking what the hell is going on...). When a DDOS occurs, it will likely collaterally affect other customers of the hosting provider, and the provider may be under considerable pressure to shut down your site simply to protect their resources. Be prepared to share your logs (any and all information) with the provider; these logs, combined with their network monitors, may together provide enough information to block/mitigate the attack.
如果您期待 DDOS,最好根据您的托管服务提供商可以提供的保护级别对其进行认证.他们应该拥有 DDOS 经验和缓解它的工具——了解他们的工具、流程和升级程序.还要询问托管提供商从他们的上游提供商那里获得了什么支持.这些服务可能意味着更多的前期或每月费用,但请将其视为一项保险单.
If you are expecting a DDOS, it's a very good idea to qualify your hosting provider on the level of protection they can provide. They should have DDOS experience and tools to mitigate it - understand their tools, processes and escalation procedures. Also ask about what support the hosting provider has from their upstream providers. These services might mean more up-front or monthly cost, but treat this as an insurance policy.
在受到攻击时,您需要获取日志并挖掘它们 - 尝试找出攻击模式.您应该考虑关闭匿名访问并限制受到攻击的服务(即降低应用程序对服务的速率限制).
While under attack, you will need to grab your logs and mine them - try and work out the pattern of the attack. You should consider switching off anonymous access and throttling the services under attack (i.e. decrease the application's rate limit for the service).
如果幸运,并且您有一个固定的小客户群,您或许能够确定您的有效客户 IP 地址.如果是这种情况,您可能会暂时切换到白名单方法.确保您的所有客户都知道这是怎么回事,以便他们在需要从新 IP 访问时可以打电话:)
If lucky and you have a small, fixed customer-base, you might be able to determine your valid customers IP addresses. If this is the case, you might switch to a white-list approach for a short while. Make sure all your customers know this is going on so they can call if they need to access from a new IP :)
Doug McClean 有一些很好的建议:https://stackoverflow.com/a/1029613/1395668
这篇关于如何启用 DDoS 保护?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
