[英]How to enable DDoS protection?
DDoS (Distributed Denial of Service Attacks) are generally blocked on a server level right? 通常在服务器级别阻止DDoS(分布式拒绝服务攻击),对吗?
Is there a way to block it on a PHP level, or at least reduce it? 有没有办法在PHP级别上阻止它,或者至少减少它?
If not, what is the fastest and most common way to stop DDoS attacks? 如果没有,阻止DDoS攻击的最快,最常见的方法是什么?
DDOS is a family of attacks which overwhelm key systems in the datacenter including: DDOS是一系列攻击,它们淹没了数据中心的关键系统,其中包括:
Before you start on building your DDOS defence, consider what the worst-case value-at-risk is. 在开始构建DDOS防御之前,请考虑一下最坏情况下的风险价值是什么。 For a non-critical, free-to-use service for a small community, the total value at risk might be peanuts.
对于小型社区的非关键,免费使用的服务,总的风险价值可能是花生。 For a paid-for, public-facing, mission-critical system for an established multi-billion dollar business, the value might be the worth of the company.
对于已建立的数十亿美元业务的付费,面向公众的,关键任务系统,其价值可能就是公司的价值。 In this latter case, you shouldn't be using StackExchange :) Anyway, to defend against DDOS, you need a defence in-depth approach:
在后一种情况下,您不应该使用StackExchange :)无论如何,要防御DDOS,您需要一种深度防御方法:
Keep all your systems and software packages updated with the latest security patches - and I mean all of them: 使用最新的安全补丁更新所有系统和软件包-我的意思是所有它们:
Ensure that you have a good firewall or security appliance set up and regularly reviewed by a qualified security expert . 确保您设置了良好的防火墙或安全设备 ,并由合格的安全专家定期进行检查 。 Strong rules on the firewall are a good defence against many simple attacks.
防火墙上的严格规则可以很好地抵御许多简单的攻击。 It's also useful to be able to manage bandwidth available for each open service.
能够管理每个开放服务可用的带宽也很有用。
Have good network monitoring tools in place - this can help you understand: 拥有良好的网络监控工具 -这可以帮助您了解:
The attack might simply be heavy use of legitimate web site services (eg hitting 'legal' URIs running queries or inserting/updating/deleting data) - thousands or millions of requests coming from tens to millions of different IP addresses will bring a site to its knees. 攻击可能只是大量使用合法的网站服务(例如,击中运行查询的“合法” URI或插入/更新/删除数据)-来自成千上万个不同IP地址的成千上万个请求会将网站带到其膝盖 Alternatively, some services might be so expensive to run that only a few requests cause a DOS - think a really expensive report.
另外,某些服务可能运行起来非常昂贵,以至于只有很少的请求会导致DOS-想想一个非常昂贵的报告。 So you need good application level monitoring of what is going on:
因此,您需要对正在发生的事情进行良好的应用程序级别监视 :
Sensible constraints and limits in your application . 您的应用程序中的合理约束和限制 。 For example, you might:
例如,您可能会:
Last, but not least, write a DOS Response Plan document and get this internally reviewed by all relevant parties: Business, Management, the SW dev team, the IT team and a security expert. 最后但并非最不重要的一点是,编写DOS响应计划文档,并由所有相关方进行内部审查:业务,管理,软件开发团队,IT团队和安全专家。 The process of writing the document will cause you and your team to think through the issues and help you to be prepared if the worst should happen at 3am on your day off.
编写文档的过程将使您和您的团队仔细考虑问题,并帮助您准备好在一天假的凌晨3点发生最坏的情况。 The document should cover (among other things):
该文件应涵盖(除其他事项外):
So, preamble aside, here are some specific answers: 因此,撇开序言,这里有一些具体答案:
DDOS are generally blocked on a server level, right?
DDOS通常在服务器级别被阻止,对吗?
Not really - most of the worst DDOS attacks are low-level (at the IP packet level) and are handled by routing rules, firewalls, and security devices developed to handle DDOS attacks. 并非如此-大多数最严重的DDOS攻击都是低级(在IP数据包级别),并由为处理DDOS攻击而开发的路由规则,防火墙和安全设备来处理。
Is there a way to block it on a PHP level, or at least reduce it?
有没有办法在PHP级别上阻止它,或者至少减少它?
Some DDOS attacks are aimed at the application itself, sending valid URIs and HTTP requests. 一些DDOS攻击针对应用程序本身,发送有效的URI和HTTP请求。 When the rate of requests goes up, your server(s) begin to struggle and you will have an SLA outage.
当请求率上升时,您的服务器开始出现问题,并且SLA中断。 In this case, there are things you can do at the PHP level:
在这种情况下,您可以在PHP级别上执行以下操作:
Application level monitoring: Ensure each service/page logs requests in a way that you can see what is going on (so you can take actions to mitigate the attack). 应用程序级别监视:确保每个服务/页面都以可以查看正在发生的方式记录请求(以便您可以采取措施减轻攻击)。 Some ideas:
一些想法:
Have a log format that you can easily load into a log tool (or Excel or similar), and parse with command-line tools (grep, sed, awk). 具有一种日志格式,您可以轻松地将其加载到日志工具(或Excel或类似工具)中,并使用命令行工具(grep,sed,awk)进行解析。 Remember that a DDOS will generate millions of lines of log.
请记住,DDOS将生成数百万行的日志。 You will likely need to slice'n'dice your logs (especially with respect to URI, time, IP and user) to work out what is going on, and need to generate data such as:
您可能需要对日志进行切片(尤其是关于URI,时间,IP和用户),以弄清正在发生的事情,并需要生成如下数据:
Log the IP address of each request. 记录每个请求的IP地址。 DON'T reverse DNS this - ironically the cost of doing this makes a DDOS easier for the attackers
请勿反向DNS-具有讽刺意味的是,这样做的成本使攻击者更容易使用DDOS
Sensible rate limits: You might implement limits on how many requests a given IP or User can make in a given time period. 合理的速率限制:您可以对给定IP或用户在给定时间内可以发出的请求数量实施限制。 Could a legitimate customer make more than 10 requests per second?
合法客户每秒可以发出10个以上的请求吗? Can anonymous users access expensive reports at all?
匿名用户可以访问所有昂贵的报告吗?
CAPTCHA for anonymous access: Implement a CAPTCHA for all anonymous requests to verify that the user is a person, not a DDOS bot. 用于匿名访问的验证码:对所有匿名请求实施验证码,以验证用户是个人,而不是DDOS僵尸程序。
What's the fastest and most common way to stop DDOS attacks?
阻止DDOS攻击最快,最常见的方法是什么?
The fastest is probably to give in to the blackmail, although this might not be desirable. 最快的可能是屈服于勒索,尽管这可能是不希望的。
Otherwise, the first thing you to do is contact your hosting and/or CDN provider and work with them (if they haven't contacted you already asking what the hell is going on...). 否则,您要做的第一件事就是联系您的托管和/或CDN提供商并与他们合作(如果他们还没有联系您,则已经在问这到底是怎么回事...)。 When a DDOS occurs, it will likely collaterally affect other customers of the hosting provider, and the provider may be under considerable pressure to shut down your site simply to protect their resources.
发生DDOS时,可能会附带影响托管服务提供商的其他客户,并且提供商可能会承受相当大的压力,仅出于保护他们的资源的目的而关闭您的站点。 Be prepared to share your logs (any and all information) with the provider;
准备与提供者共享您的日志(任何和所有信息); these logs, combined with their network monitors, may together provide enough information to block/mitigate the attack.
这些日志及其网络监视器可以共同提供足够的信息来阻止/缓解攻击。
If you are expecting a DDOS, it's a very good idea to qualify your hosting provider on the level of protection they can provide. 如果您期望使用DDOS,则最好让您的主机提供商在其提供的保护级别上合格。 They should have DDOS experience and tools to mitigate it - understand their tools, processes and escalation procedures.
他们应该具有DDOS经验和减轻它的工具-了解他们的工具,过程和升级程序。 Also ask about what support the hosting provider has from their upstream providers.
还询问托管服务提供商从其上游提供商那里获得了哪些支持。 These services might mean more up-front or monthly cost, but treat this as an insurance policy.
这些服务可能意味着更多的前期或每月费用,但是将其视为保险单。
While under attack, you will need to grab your logs and mine them - try and work out the pattern of the attack. 在受到攻击时,您将需要获取日志并进行挖掘-尝试找出攻击的模式。 You should consider switching off anonymous access and throttling the services under attack (ie decrease the application's rate limit for the service).
您应该考虑关闭匿名访问并在受到攻击的情况下限制服务(即降低应用程序对服务的速率限制)。
If lucky and you have a small, fixed customer-base, you might be able to determine your valid customers IP addresses. 如果幸运的话,您有一个固定的小型客户群,则可以确定有效的客户IP地址。 If this is the case, you might switch to a white-list approach for a short while.
如果是这种情况,您可能会在短时间内切换到白名单方法。 Make sure all your customers know this is going on so they can call if they need to access from a new IP :)
确保所有客户都知道这种情况在继续,以便他们在需要从新IP访问时可以打电话:)
Doug McClean has some great advice at: https://stackoverflow.com/a/1029613/1395668 道格·麦克林(Doug McClean)在以下方面提供了一些很好的建议: https : //stackoverflow.com/a/1029613/1395668
According the PHP part of the question; 根据问题的PHP部分;
Although I don't rely on PHP for this, it could be implemented but needs to consider all these possiblities or more; 尽管我不依赖PHP,但是可以实现它,但是需要考虑所有这些可能性或更多。
Simple pseudo; 简单伪
<?php
// Assuming session is already started
$uri = md5($_SERVER['REQUEST_URI']);
$exp = 3; // 3 seconds
$hash = $uri .'|'. time();
if (!isset($_SESSION['ddos'])) {
$_SESSION['ddos'] = $hash;
}
list($_uri, $_exp) = explode('|', $_SESSION['ddos']);
if ($_uri == $uri && time() - $_exp < $exp) {
header('HTTP/1.1 503 Service Unavailable');
// die('Easy!');
die;
}
// Save last request
$_SESSION['ddos'] = $hash;
?>
The php level is too late in the request chain. php级别在请求链中为时已晚。
Putting your apache server behind an open source appliance may be a good option for you. 将您的apache服务器放在开源设备后面可能是一个不错的选择。
http://tengine.taobao.org/ has some documentation and source code more modules aimed at DDOS prevention. http://tengine.taobao.org/提供了一些文档和源代码以及更多旨在防止DDOS的模块。 It is a expansion of nginx, so you can easily set it up as a reverse proxy for your apache instance.
它是nginx的扩展,因此您可以轻松地将其设置为apache实例的反向代理。
See: http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/ for how to fight collision has DoS attacks. 请参阅: http : //blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/ ,了解如何对抗具有DoS攻击的冲突。
Totally forgot too, http://www.cloudflare.com is one the top free web application firewall, they have free and paid plans and will save your ass from DDOS we use it for alot of our high traffic sites just for its caching capabilities. 完全忘了, http://www.cloudflare.com是顶级的免费Web应用程序防火墙之一,它们有免费的和付费的计划,并且会从DDOS中省掉您的屁股,我们仅出于缓存功能而将其用于许多高流量站点。 It is awsome!
太棒了!
DDoS is best handled by very expensive, purpose-built network appliances. DDoS最好由非常昂贵的专用网络设备处理。 Hosts are generally not good at doing DDoS protection because they are subject to relatively low performance, state exhaustion, limited bandwidth, etc. Use of iptables, apache mods, and similar services can help in some situations if you have no access to DDoS mitigation hardware or a DDoS mitigation service, but it is far from ideal and still leaves you at risk of attack.
主机通常不擅长DDoS防护,因为它们的性能相对较低,状态耗尽,带宽有限等。如果无法访问DDoS缓解硬件,则在某些情况下使用iptables,apache mods和类似服务可能会有所帮助或DDoS缓解服务,但它远非理想之选,仍然使您有遭受攻击的风险。
How about something like this on PHP side: 在PHP方面怎么样呢?
//if user does not change IP, then ban the IP when more than 10 requests per second are detected in 1 second
$limitps = 10;
if (!isset($_SESSION['first_request'])){
$_SESSION['requests'] = 0;
$_SESSION['first_request'] = $_SERVER['REQUEST_TIME'];
}
$_SESSION['requests']++;
if ($_SESSION['requests']>=10 && strtotime($_SERVER['REQUEST_TIME'])-strtotime($_SESSION['first_request'])<=1){
//write the IP to a banned_ips.log file and configure your server to retrieve the banned ips from there - now you will be handling this IP outside of PHP
$_SESSION['banip']==1;
}elseif(strtotime($_SERVER['REQUEST_TIME'])-strtotime($_SESSION['first_request']) > 2){
$_SESSION['requests'] = 0;
$_SESSION['first_request'] = $_SERVER['REQUEST_TIME'];
}
if ($_SESSION['banip']==1) {
header('HTTP/1.1 503 Service Unavailable');
die;
}
You can not do this in PHP level. 您不能在PHP级别上执行此操作。 DDOS is a kind of attack that send too many requests to your webserver.
DDOS是一种将太多请求发送到您的Web服务器的攻击。 Your webserver will reject request before it call your PHP script.
您的网络服务器将在调用PHP脚本之前拒绝请求。
If you are using Apache, here is some tips from Apache: http://httpd.apache.org/docs/trunk/misc/security_tips.html 如果您使用的是Apache,以下是来自Apache的一些技巧: http : //httpd.apache.org/docs/trunk/misc/security_tips.html
There are plugins you can use in apache for ddos/dos. 您可以在apache中为ddos / dos使用一些插件。 Good start here http://www.debianadmin.com/how-to-protect-apache-against-dosddos-or-brute-force-attacks.html
此处的好开始http://www.debianadmin.com/how-to-protect-apache-against-dosddos-or-brute-force-attacks.html
If you're on LEMP, you can check here. 如果您使用的是LEMP,则可以在此处查看。 http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
These are good inexpensive starting points. 这些是很好的廉价起点。
Do NOT use PHP-based protection, it's horrible and will hardly have an impact at all! 不要使用基于PHP的保护,这是可怕的,几乎不会产生影响了! Configure your webserver to rate-limit requests, for example in Nginx using the limit_req module ( http://nginx.org/en/docs/http/ngx_http_limit_req_module.html )
将您的Web服务器配置为对请求进行速率限制,例如在Nginx中使用limit_req模块( http://nginx.org/en/docs/http/ngx_http_limit_req_module.html )
Although, I would recommend using CloudFlare to combat layer-4 - however not layer-7 based attacks unless you're willing to pay. 虽然,我建议您使用CloudFlare来抵抗第4层-但不要使用基于第7层的攻击,除非您愿意付费。
DDOS are generally blocked on a server level, Please enable DDOS protection in your Server Level. 通常在服务器级别阻止DDOS,请在服务器级别启用DDOS保护。 Please check the below notes for DDOS protections.
请检查以下注意事项以获取DDOS保护。
Apache HTTP Server configuration settings that can help prevent DDOS problems: 可帮助防止DDOS问题的Apache HTTP Server配置设置:
The RequestReadTimeout directive allows to limit the time a client may take to send the request. RequestReadTimeout指令允许限制客户端发送请求所花费的时间。
Allow 10 seconds to receive the request including the headers and 30 seconds for receiving the request body: 等待10秒以接收请求,包括标头,等待30秒以接收请求正文:
RequestReadTimeout header=10 body=30
Allow at least 10 seconds to receive the request body. 至少等待10秒钟以接收请求正文。 If the client sends data, increase the timeout by 1 second for every 1000 bytes received, with no upper limit for the timeout (except for the limit given indirectly by LimitRequestBody):
如果客户端发送数据,则每接收1000个字节将超时增加1秒,没有超时上限(LimitRequestBody间接给出的限制除外):
RequestReadTimeout body=10,MinRate=1000
RequestReadTimeout header=10-30,MinRate=500
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
The KeepAliveTimeout directive may be also lowered on sites that are subject to DoS attacks. 在遭受DoS攻击的站点上,还可以降低KeepAliveTimeout指令。 Some sites even turn off the keepalives completely via KeepAlive, which has of course other drawbacks on performance.
有些站点甚至通过KeepAlive完全关闭了keepalive,这当然在性能上还有其他缺点。 The values of various timeout-related directives provided by other modules should be checked.
应检查其他模块提供的与超时相关的各种指令的值。
The directives LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody should be carefully configured to limit resource consumption triggered by client input. 应当仔细配置指令LimitRequestBody,LimitRequestFields,LimitRequestFieldSize,LimitRequestLine和LimitXMLRequestBody,以限制客户端输入触发的资源消耗。 Tune the MaxRequestWorkers directive to allow the server to handle the maximum number of simultaneous connections without running out of resources.
调整MaxRequestWorkers指令以允许服务器处理最大数量的同时连接,而不会耗尽资源。
Anti DDOS steps: 反DDOS步骤:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.