DDoS (Diidmada adeega si la qaybiyo) iyo DoS (diidmada adeega) weerarada waxaa si guud loogu kala saari karaa saddex qaybood iyadoo lagu saleynayo lakabyada moodelka OSI ee ay bartilmaameedsanayaan: lakabka shabakadda (Lakabka 3), lakabka gaadiidka (Lakabka 4), iyo lakabka codsiga (Lakabka 7).

Lakabka 3 iyo Lakabka 4 weerarada badanaaba ma aha kuwo aad u adag–inkastoo ay noqon karaan kuwo aad u caqabad leh in la xakameeyo–oo ku lug leh buuxinta lakabka shabakadda iyo gaadiidka leh taraafikada, overburdening the target system’s resources and making it unavailable to legitimate users. These types of attacks can be launched using various techniques such as ICMP floods, TCP SYN floods, or UDP floods.

An ICMP flood for example, is a Layer 3 attack in which a large number of ICMP packets are flooded into to the target system, rendering it unresponsive. A TCP SYN flood, on the other hand, is a layer 4 attack which exploits the ways TCP connections are established.

In a SYN flood attack, the attacker sends many SYN packets to the target system, but never sends an ACK packet to complete the connection. This causes the system to allocate resources for each connection attempt which eventually overloading the system and making it unavailable to legitimate users. A UDP flood sends a large number of UDP packets to a target system, consuming its resources and making it unresponsive.

Weerarada DDoS ee lakabka codsiga

Application layer attacks are more complex and harder to mitigate than layer 3 and layer 4 attacks. These attacks target the application layer (layer 7) of the target system and exploit vulnerabilities in the application itself. Lakabka 7 attacks can do more damage because they can directly impact applications and underlying infrastructure. You won’t be able to mitigate layer 7 DDoS attacks with layer 3 or layer 4 tools such as with network firewalls.

HTTP floods, Slowloris attacks, and DNS amplification attacks are Layer 7 denial of service attacks. These attacks require more sophisticated defenses such as application-layer firewalls, intrusion prevention systems, and CDN (content delivery networks).

HTTP floods

Weerarada daadadka HTTP waxaa lagu sameeyaa iyadoo la adeegsanayo codsiyada GET ama POST si ay u buuxiyaan server-ka bartilmaameedka. Weerarada daadadka ee isticmaalaya codsiyada GET badanaa way fududahay waxayna u baahan yihiin ilo yar maxaa yeelay waxay kaliya weydiistaan macluumaadka server-ka. codsiyada POST, on the other hand, sida caadiga ah waxay u baahan yihiin dirista tiro badan oo xog ah.

Mid ka mid ah sababaha weerarada daadadka HTTP ay adag tahay in la yareeyo ayaa ah in inta badan laga bilaabo ilo badan, ka dhigaya mid adag in la aqoonsado oo la xannibo dhammaan taraafikada xaasidnimada. Intaa waxaa dheer, weeraryahanayaashu waxay isticmaali karaan farsamooyin sida spoofing IP si ay u qariyaan aqoonsigooda dhabta ah oo ay xitaa ka dhigaan mid aad u adag in la raadiyo halka ay ka yimaadeen weeraradooda.

Difaaca weerarada daadadka HTTP waxay noqon kartaa mid adag. Noocyada kala duwan ee weerarada waxay u baahan yihiin xeelado kala duwan oo yareyn ah. Common defenses against HTTP flood attacks include rate limiting, blacklisting, and web application firewalls. However, these techniques can be resource-intensive and may not be sufficient to thwart more sophisticated attacks.

Slowloris attacks

Slowloris is a type of flooding attack in which the way web servers handle client connections is targeted. This attack works by opening a large number of connections to the server, but sending the requests at a slow rate, keeping each connection open as long as possible. This type of attack can consume all available resources of the server and allows attackers to consume CPU, memory, or network bandwidth, etc. without even triggering the typical rate limiting and traffic filtering mechanisms commonly used to detect and block other types of DDoS attacks.

To carry out a Slowloris attack, attackers typically use scripts or tools that send HTTP requests to a server, but deliberately delay sending subsequent requests. The request is designed to look like a legitimate request, but with an incomplete header that keeps the connection open indefinitely. Over time, the server will have many open connections waiting for additional data from the client, causing the server to stop responding to legitimate traffic.

Slowloris attacks can be difficult to detect due to their covert design and relatively low bandwidth. This makes it an effective tool for attackers who want to sabotage their servers without triggering alerts or creating suspicion.To defend against Slowloris attacks, web servers can implement several countermeasures. For example, xaddid tirada isku xirka laga sameyn karo cinwaan IP keli ah ama dejiso waqti go'an oo loogu talagalay codsiyada aan dhameysan. Qaar ka mid ah darbiyada webka iyo adeegyada kahortagga DDoS waxay leeyihiin ilaalin dhisan oo ka dhan ah weerarada Slowloris, isticmaalaya algorithms-ka ka ogaan kara oo joojin kara taraafikada noocaas ah waqtiga-dhabta ah.

Lakabka 7 Kahortagga DDoS

Xaddidaadda heerka

Xaddidaadda heerka waxay ku lug leedahay dejinta heerka ugu badan ee codsiyada laga samayn karo cinwaan IP ama wakiilka isticmaale gaar ah waqti gaar ah. Fikradda waxay aad ugu dhowdahay xaddidaadda heerka ee lakabka 3 laakiin waa in lagu hirgeliyaa lakabka 7.

Ujeeddada xaddidaadda heerka waa in laga hortago weeraryahanka inuu ka badiyo codsiyada webka tiro badan, taasoo keeni karta carqalad server-ka. Xaddididda heerka waxaa lagu hirgelin karaa lakabyo kala duwan oo ka mid ah qaab-dhismeedka codsigaaga webka, server-ka webka, miisaanka culayska, ama gidaarka dab-damiska codsiga. Hirgelinta badanaa waxay ku lug leedahay raadraacida tirada codsiyada uu sameeyay cinwaan IP gaar ah ama wakiilka isticmaale oo xannibaya codsiyada dheeraadka ah marka la gaaro xadka hore loo qeexay.

Habka caadiga ah ee lagu hirgeliyo xaddididda heerka codsiyada webka waa in la isticmaalo middleware ama plugins kuwaas oo raadraaca tirada codsiyada uu sameeyo macmiil kasta oo xannibaya codsiyada dheeraadka ah marka la dhaafo xadka. plugins-kan waa loo habeyn karaa si ay u dabaqaan siyaasad xaddidid heerka oo kala duwan iyadoo lagu saleynayo arrimo sida nooca codsiga, wakiilka isticmaale, ama cinwaanka IP ee macmiilka.

For example, siyaasad xaddidid heer fudud ayaa xaddidi karta codsiyada ka imaanaya hal cinwaan IP ilaa ugu badnaan 10 codsiyada daqiiqadiiba. Haddii macmiil uu ka bato xadkan, codsiyada xiga waa la xannibi doonaa ilaa uu dhamaado waqtiga la cayimay.

Alaabooyinka xaddidaada heerka codsiga (Application-layer rate limiting) waxaa laga heli karaa server-yada webka ee caanka ah iyo adeegyada daruuriga ah, oo ay ku jiraan:

Apache

Apache waxay leedahay dhowr modules oo loo isticmaali karo xaddidaada heerka codsiga, sida mod_limitipconn, taas oo xaddidaysa tirada isku-xirnaanta isku mar ah ee ka imanaysa cinwaanka IP-ga la siiyay, iyo mod_qos, taas oo bixisa siyaabo kala duwan oo kontorool tayo adeeg ah oo ay ka mid tahay xaddidaada heerka codsiga.

Intaa waxaa dheer, ModSecurity Web Application Firewall waxay leedahay astaamo xaddidaada heerka codsiga oo ka hortagi kara macaamiisha ka bato xadka la cayimay. Marka lagu daro modules-ka kor ku xusan, Apache sidoo kale waxay bixisaa mod_evasive. Tani waa module loo isticmaali karo xaddidaada heerka codsiga iyo xannibaadda macaamiisha ka bato xadka la cayimay. Ogaanshaha iyo xannibaadda macaamiisha sharci-darrada ah iyadoo la adeegsanayo farsamooyin kala duwan, oo ay ku jiraan raad-raac IP iyo user-agent.

Nginx

Nginx wuxuu bixiyaa ngx_http_limit_req module. Tan waxaa loo isticmaali karaa in lagu xaddido heerka codsiyada macaamiisha qaarkood iyadoo lagu saleynayo ciwaanka IP ama arrimo kale. Module-kan wuxuu isticmaalaa algorithm-ka token bucket si uu u qoondeeyo tokens macaamiil kasta iyadoo lagu saleynayo siyaasadda xaddidaadda heerka. Marka laga reebo ngx_http_limit_req module, Nginx sidoo kale wuxuu bixiyaa ngx_http_limit_conn module. Tan waxaa loo isticmaali karaa in lagu xaddido tirada isku-xirnaanta macaamiisha ama ciwaannada IP gaarka ah. Module-kan wuxuu isticmaalaa algorithm-ka token bucket si uu u qoondeeyo tokens iyadoo lagu saleynayo siyaasadaha xaddidaadda heerka.

IIS

Adeegyada Macluumaadka Internetka ee Microsoft (IIS) waxay ku jiraan module xaddidaadda IP firfircoon oo loo isticmaali karo xaddidaadda heerka. Module-kan waxaa loo habeyn karaa si uu u diido codsiyada ka imanaya cinwaannada IP-ga ee dhaafaya xaddiga la cayimay waxaana sidoo kale uu bixin karaa digniino iyo diiwaanno loogu talagalay kormeerka. Marka laga soo tago module-ka Xaddidaadda IP-ga ee Isbeddelaya, IIS sidoo kale waxay bixisaa module-ka Shaandhaynta Codsiga oo loo isticmaali karo in lagu xaddido heerka codsiga macaamiisha gaarka ah iyadoo lagu saleynayo shuruudo kala duwan sida cinwaanka IP-ga, wakiilka isticmaale, iyo habka codsiga.

AWS

Adeegyada Amazon (AWS) waxay bixiyaan adeegyo dhowr ah oo loo isticmaali karo xaddidaadda heerka, oo ay ku jiraan AWS WAF oo leh xaddidaadda heerka sida astaamo.

AWS Shield wuxuu bixiyaa ilaalinta DDoS oo ay ku jiraan xeerar ku saleysan heerka kuwaas oo diidi kara codsiyada ka imanaya cinwaannada IP-ga ee ka sarreeya xad gaar ah. Marka laga soo tago AWS WAF iyo AWS Shield, AWS sidoo kale waxay bixisaa AWS Elastic Load Balancer. Waxay ka koobantahay siyaasadno kala duwan oo xadididda heerarka ah oo loo habeyn karo si looga hortago macaamiisha marka ay dhaafaan xad gaar ah..

Azure

Microsoft Azure waxay bixisaa adeegyo dhowr ah oo loo isticmaali karo xadididda heerarka, oo ay ku jiraan Azure Application Gateways. Waxay ka koobantahay gacan-gacmeed websaydh oo la habeyn karo si loo xadido heerka codsiyada soo galay. Intaa waxaa dheer, Azure Front Door waxay bixisaa astaamo xadididda heerarka ah taas oo awood u siineysa in codsiyada ka imanaya cinwaannada IP ee ka sareeya xad hore loo cayimay la joojiyo. Ka sokow Azure Application Gateway iyo Azure Front Door, Azure sidoo kale waxay bixisaa Azure Firewall. Tan waxaa loo isticmaali karaa in lagu xadido heerarka oo lagu joojiyo macaamiisha dhaafay xad go'an.

GCP

Google Cloud Platform (GCP) waxay bixisaa Cloud Armor, waax websaydh oo leh awood xadididda heerarka ah oo awood u leh in ay joojiso codsiyada ka imanaya macaamiisha dhaafay xad go'an.

Alaabooyinka xadididda heerka codsiga ee codsiga waxay si wax ku ool ah u yarayn karaan weerarrada durbaanka HTTP iyagoo xadidaya tirada codsiyada ka imanaya macaamiisha xun. However, waxaa muhiim ah in si habboon loo habeeyo si aysan u xanibin taraafikada sharci ah oo loo isticmaalo iyadoo lala kaashanayo tallaabooyin kale oo amni sida darbiyada dabka iyo adeegyada ka hortagga DDoS si loo bixiyo ilaalin dhameystiran oo ka dhan ah weerarrada DDoS.

Waqti go’an oo loogu talagalay codsiyada aan dhammeystirnayn

Hoos waxaa ku qoran qaar ka mid ah hababka yaraynta Slowloris ee heerka codsiga kuwaas oo lagu taxay Apache, Nginx, iyo adeegyada IIS webserver, iyo miisaanka saaran iyo astaamo dheeraad ah oo loogu talagalay AWS, Azure, iyo adeegyada GCP:

Apache

Marka lagu daro modules-ka kor ku xusan, Apache sidoo kale waxay bixisaa module, mod_reqtimeout, oo loo isticmaali karo in lagu dejiyo waqti go’an oo loogu talagalay codsiyada soo galaya. Haddii macmiilku soo diro codsi qaadanaya waqti ka dheer waqti go’an oo la cayimay, server-ku wuxuu xire doonaa xiriirka. This will prevent slowloris attacks.

Nginx

Besides ngx_http_limit_conn module and ngx_http_limit_req module, Nginx also provides his ngx_http_request module. This can be used to limit the time it takes for the upstream server to process the request. If the upstream server takes longer than the specified timeout, Nginx will close the connection.

IIS

Additional to the Dynamic IP Restrictions and Request Filtering modules, IIS also provides a kernel mode driver HTTP.sys. This allows you to set a timeout for incoming requests. Haddii macmiilku soo diro codsi qaadanaya waqti ka dheer waqti go’an oo la cayimay, server-ku wuxuu xire doonaa xiriirka.

AWS

In addition to AWS WAF and AWS Shield, AWS additionally gives Elastic Load Balancer, which incorporates numerous connection timeout rules that may be configured to shut connections that take longer than a predefined threshold.

Azure

Ka sokow Azure Application Gateway iyo Azure Front Door, Azure additionally gives Azure Load Balancer, taas oo ku daraysa astaamaha waqti-dhowrka fadhiga ee la habeyn karo oo loo isticmaali karo in la xiro isku-xirnaanta kuwaas oo laga yaabo inay fadhiistaan muddo go'an.

GCP

Google Cloud Platform (GCP) waxay bixisaa xulashooyin badan oo waqti-dhowrka isku-xirnaanta adeegyadaheeda, oo ay ku jiraan Qaadista Culeyska Cloud, taas oo ku daraysa astaamaha waqti-dhowrka la habeyn karo oo loo isticmaali karo in la xiro isku-xirnaanta kuwaas oo qaadanaya waqti ka dheer xadka hore loo qeexay.

Gabagabo

Gabagabadii, Weerarrada DDoS iyo DoS waxaa lagu kala saari karaa iyadoo lagu salaynayo lakabyada moodelka OSI ee ay bartilmaameedsanayaan, sida lakabka shabakadda (Lakabka 3), lakabka gaadiidka (Lakabka 4), iyo lakabka codsiga (Lakabka 7).

Hal lakab 3 and layer 4 weerarro waxay ku daadiyaan lakabyada shabakadda iyo gaadiidka xadiga taraafikada, layer 7 weerarro waa kuwo ka sii adag oo ka faa'iideysta nuglaanta codsiyada lafteeda. Biyo-qabowga HTTP iyo weerarada Slowloris waa tusaalooyin lakabka 7 denial of service attacks. Tallaabooyinka ka hortagga weerarradan waxaa ka mid ah xaddididda heerka, blacklisting, and web application firewalls. Identifying and containing attacks in real time requires a comprehensive, multi-layered defense strategy that includes monitoring, detection, and response capabilities.

Intaa waxaa dheer, attackers can customize their techniques and tailor their attacks to evade detection and evade security measures. Therefore, it is imperative that organizations implement a comprehensive, multi-layered defense strategy that includes monitoring, detection, and response capabilities to rapidly identify and contain attacks in real time. This may include using advanced machine learning algorithms and behavioral analytics to detect and block malicious traffic patterns.