DDoS (distributed of denial of service) and DoS (indenial of service) hujumlar OSI modelining qaysi qatlamlariga qarab uch toifaga bo'linadi: tarmoq qatlami (Qatlam 3), transport qavati (Qatlam 4), va ilova qatlami (Qatlam 7).

Qatlam 3 va Qatlam 4 hujumlar odatda kamroq murakkab bo'ladi–even though that they might be very challenging to mitigate–and involve flooding the network and transport layer with traffic, overburdening the target system’s resources and making it unavailable to legitimate users. These types of attacks can be launched using various techniques such as ICMP floods, TCP SYN floods, or UDP floods.

An ICMP flood for example, is a Layer 3 attack in which a large number of ICMP packets are flooded into to the target system, rendering it unresponsive. A TCP SYN flood, on the other hand, is a layer 4 attack which exploits the ways TCP connections are established.

In a SYN flood attack, the attacker sends many SYN packets to the target system, but never sends an ACK packet to complete the connection. This causes the system to allocate resources for each connection attempt which eventually overloading the system and making it unavailable to legitimate users. A UDP flood sends a large number of UDP packets to a target system, consuming its resources and making it unresponsive.

Ilova qatlami DDoS hujumlari

Application layer attacks are more complex and harder to mitigate than layer 3 and layer 4 attacks. These attacks target the application layer (layer 7) of the target system and exploit vulnerabilities in the application itself. Qatlam 7 attacks can do more damage because they can directly impact applications and underlying infrastructure. You won’t be able to mitigate layer 7 DDoS attacks with layer 3 or layer 4 tools such as with network firewalls.

HTTP floods, Slowloris attacks, and DNS amplification attacks are Layer 7 denial of service attacks. These attacks require more sophisticated defenses such as application-layer firewalls, intrusion prevention systems, and CDN (content delivery networks).

HTTP floods

HTTP floods attacks are performed using GET or POST requests to overwhelm the target server. Flood attacks using GET requests are usually simpler and require fewer resources because they only ask for information from the server. POST requests, on the other hand, typically require sending large amounts of data.

One of the reasons HTTP flood attacks are difficult to mitigate is that they are often launched from a large number of sources, making it difficult to identify and block all malicious traffic. Additionally, attackers can use techniques such as IP spoofing to disguise their true identities and make it even more difficult to trace the source of their attacks.

Defending against HTTP flood attacks can be complicated. Different types of attacks require different mitigation strategies. Common defenses against HTTP flood attacks include rate limiting, blacklisting, and web application firewalls. Ammo, these techniques can be resource-intensive and may not be sufficient to thwart more sophisticated attacks.

Slowloris attacks

Slowloris is a type of flooding attack in which the way web servers handle client connections is targeted. This attack works by opening a large number of connections to the server, but sending the requests at a slow rate, keeping each connection open as long as possible. This type of attack can consume all available resources of the server and allows attackers to consume CPU, memory, or network bandwidth, etc. without even triggering the typical rate limiting va boshqa turdagi DDoS hujumlarini aniqlash va bloklash uchun keng qo'llaniladigan trafik filtrlash mexanizmlari.

Slowloris hujumini amalga oshirish uchun, hujumchilar odatda serverga HTTP so'rovlarini yuboradigan skriptlar yoki vositalardan foydalanadi, lekin keyingi so'rovlarni ataylab kechiktiradi. So'rov haqiqiy so'rovdek ko'rinishga mo'ljallangan, lekin sarlavha to'liq bo'lmagan bo'lib, ulanish cheksiz ochiq qoladi. vaqt o'tishi bilan, serverda mijozdan qo'shimcha ma'lumot kutayotgan ko'plab ochiq ulanishlar bo'ladi, server qonuniy trafikga javob berishni to'xtatadi.

Slowloris hujumlari yashirin dizayni va nisbatan past tarmoqli kengligi sababli aniqlash qiyin bo'lishi mumkin. Bu uni ogohlantirish yoki shubha tug'dirmasdan serverlarini sabotaj qilmoqchi bo'lgan hujumchilar uchun samarali vosita qiladi. Slowloris hujumlaridan himoya qilish uchun, veb-serverlar bir nechta qarshi choralarni amalga oshirishi mumkin. Masalan, bitta IP manzildan o'rnatiladigan ulanishlar sonini cheklash yoki to'liq bo'lmagan so'rovlar uchun vaqt so'rash belgilash. Ba'zi veb-ilova firewalllari va DDoS oldini olish xizmatlari Slowloris hujumlariga qarshi ichki himoyaga ega, bunday trafikni real vaqt rejimida aniqlash va bloklash mumkin bo'lgan algoritmlardan foydalanadi.

Qatlam 7 DDoS minimallashtirishlari

Tezlikni cheklash

Tezlikni cheklash ma'lum bir IP manzil yoki foydalanuvchi agentidan ma'lum vaqt ichida yuborilishi mumkin bo'lgan so'rovlar soniga chegara belgilashni o'z ichiga oladi. Bu tushuncha qatlamda tezlikni cheklashga juda o'xshaydi 3 lekin u qatlamda amalga oshirilishi kerak 7.

Rate limiting maqsadi - hujumchining veb-ilovani katta miqdordagi so'rovlar bilan ortiqcha yuklashini oldini olishdir, serverning ishdan chiqishiga sabab bo'lishi. Rate limiting veb-ilova arxitekturangizning turli qatlamlarida amalga oshirilishi mumkin, veb-serverda, yuk tashuvchi balanslovchida, yoki ilova devorida. Amaliyotlar odatda ma'lum bir IP manzil yoki foydalanuvchi agenti tomonidan qilinayotgan so'rovlar sonini kuzatishni va ilgari belgilangan chegaraga yetilganda qo'shimcha so'rovlarni bloklashni o'z ichiga oladi.

Veb-ilovalarda rate limitingni amalga oshirishning keng tarqalgan yondoshuvi - har bir mijoz tomonidan qilinayotgan so'rovlar sonini kuzatadigan va chegaradan oshilganda qo'shimcha so'rovlarni bloklaydigan midle-ware yoki plaginlardan foydalanishdir. is to These plugins can be configured to apply different rate limiting policies based on factors such as the type of request, user agent, or client IP address.

Masalan, a simple rate limiting policy can limit requests from a single IP address to a maximum of 10 requests per minute. If a client exceeds this threshold, subsequent requests are blocked until the period expires.

Application-layer rate limiting products are available for popular web servers and cloud services, including:

Apache

Apache has several modules that can be used for rate limiting, such as mod_limitipconn, which limits the number of simultaneous connections from a given IP address, and mod_qos, which provides various quality of service controls including rate limiting.

Furthermore, ModSecurity Web Application Firewall belgilangan chegara qiymatidan oshib ketgan mijozlarni bloklashi mumkin bo‘lgan tezlikni cheklash funksiyasiga ega. Yuqorida qayd etilgan modullarga qo‘shimcha ravishda, Apache shuningdek mod_evasive modulini ham taqdim etadi. Bu modul belgilangan chegara qiymatidan oshib ketgan mijozlarni tezlik bo‘yicha cheklash va bloklash uchun ishlatilishi mumkin. Turli texnikalar yordamida yomon niyatli mijozlarni aniqlash va bloklash, IP va foydalanuvchi-agentini kuzatish kabi usullarni o‘z ichiga oladi.

Nginx

Nginx taqdim etadi ngx_http_limit_req modulini. Bu modul muayyan mijozlardan kelayotgan so‘rovlar tezligini IP manzil yoki boshqa omillarga asoslanib cheklash uchun ishlatilishi mumkin. Ushbu modul token bucket algoritmidan foydalangan holda har bir mijozga tezlikni cheklash siyosatiga ko‘ra tokenlar ajratadi. ngx_http_limit_req modulidan tashqari, Nginx shuningdek ngx_http_limit_conn modulini taqdim etadi. Bu modul muayyan mijozlar yoki IP manzillardan kelayotgan ulanishlar sonini cheklash uchun ishlatilishi mumkin. This module uses a token bucket algorithm to allocate tokens based on rate limiting policies.

IIS

Microsoft’s Internet Information Services (IIS) includes a dynamic IP limiting module that can be used for rate limiting. This module can be configured to block requests from IP addresses that exceed predefined thresholds and can also provide alerts and logs for monitoring. In addition to the Dynamic IP Limiting module, IIS also provides a Request Filtering module that can be used to limit the request rate of specific clients based on various criteria such as IP address, user agent, and request method.

AWS

Amazon Web Services (AWS) offers several services that can be used for rate limiting, including AWS WAF with rate limiting as a feature.

AWS Shield offers DDoS protection including rate-based rules that can block requests from IP addresses above a certain threshold. Additional to AWS WAF and AWS Shield, AWS also offers AWS Elastic Load Balancer. It includes various rate limiting policies that can be configured to block clients over predefined thresholds.

Azure

Microsoft Azure offers several services that can be used for rate limiting, including Azure Application Gateways. It includes a web application firewall that can be configured to limit the rate of incoming requests. Additionally, Azure Front Door offers a rate limiting feature that can block requests from IP addresses above a predefined threshold. In addition to Azure Application Gateway and Azure Front Door, Azure also offers Azure Firewall. Bu belgilangan chegaradan oshadigan mijozlarni cheklash va bloklash uchun ishlatilishi mumkin.

GCP

Google Cloud Platform (GCP) Cloud Armorni taklif qiladi, bu veb-ilova devori bo‘lib, belgilangan chegaradan oshgan mijozlardan keladigan so‘rovlarni bloklash qobiliyatiga ega.

Ushbu ilova qatlami darajasidagi limitlash mahsulotlari rogue mijozlardan keladigan HTTP to‘lqin hujumlarini samarali kamaytirishi mumkin. Ammo, Ular qonuniy trafikni bloklamasligi uchun to‘g‘ri sozlangan bo‘lishi va boshqa xavfsizlik choralari, masalan, firewall va DDoS ni kamaytirish xizmatlari bilan birga ishlatilishi muhimdir, shunda DDoS hujumlariga to‘liq himoya ta’minlanadi.

Tugallanmagan so‘rovlar uchun timeoutlar

Quyida Apache uchun ro‘yxatlangan Slowloris ilova qatlami zaifliklarini kamaytirish usullari keltirilgan, Nginx, va IIS veb-serverlari, va AWS uchun yuk taqsimlovchilar va qo'shimcha funktsiyalar, Azure, va GCP xizmatlari:

Apache

Yuqorida qayd etilgan modullarga qo‘shimcha ravishda, Apache shuningdek modulni taqdim etadi, mod_reqtimeout, bu kiruvchi so'rovlar uchun timeout belgilashda ishlatilishi mumkin. Agar mijoz belgilangan timeoutdan ko'proq vaqt talab qiladigan so'rov yuborsa, server ulanishni yopadi. Bu slowloris hujumlarini oldini oladi.

Nginx

ngx_http_limit_conn moduli va ngx_http_limit_req modulidan tashqari, Nginx shuningdek o'zining ngx_http_request modulini taqdim etadi. Bu so'rovni qayta ishlash uchun upstream serverga ketadigan vaqtni cheklashda ishlatilishi mumkin. Agar upstream server belgilangan timeoutdan ko'proq vaqt olsa, Nginx ulanishni yopadi.

IIS

Dynamic IP Restrictions va Request Filtering modullariga qo'shimcha ravishda, IIS shuningdek kernel rejimidagi drayverni taqdim etadi HTTP.sys. Bu kiruvchi so'rovlar uchun timeout belgilash imkonini beradi. Agar mijoz belgilangan timeoutdan ko'proq vaqt talab qiladigan so'rov yuborsa, server ulanishni yopadi.

AWS

AWS WAF va AWS Shield ga qo‘shimcha ravishda, AWS shuningdek Elastic Load Balancer ni beradi, bu belgilangan chegaradan uzoq davom etadigan ulanishlarni yopish uchun sozlanishi mumkin bo‘lgan ko‘plab ulanish vaqtini tugatish qoidalarini o‘z ichiga oladi.

Azure

In addition to Azure Application Gateway and Azure Front Door, Azure shuningdek Azure Load Balancer ni beradi, bu belgilangan vaqt davomida faol bo‘lmagan ulanishlarni yopish uchun ishlatilishi mumkin bo‘lgan sozlanishi mumkin bo‘lgan bo‘sh ulanish vaqti tugash xususiyatini o‘z ichiga oladi.

GCP

Google Cloud Platform (GCP) o‘z xizmatlari uchun ko‘plab ulanish vaqtini tugatish variantlarini beradi, unga Cloud Load Balancing kiradi, bu belgilangan chegaradan uzoq davom etadigan ulanishlarni yopish uchun ishlatilishi mumkin bo‘lgan sozlanishi mumkin bo‘lgan vaqt tugash xususiyatini o‘z ichiga oladi.

Xulosa

Xulosa qilib aytganda, DDoS va DoS hujumlari ular nishonlaydigan OSI model qatlamlariga qarab tasniflanishi mumkin, masalan, tarmoq qatlami (Qatlam 3), transport qavati (Qatlam 4), va ilova qatlami (Qatlam 7).

Qatlam bo‘lsa 3 and layer 4 hujumlar tarmoq va transport qatlamlarini trafik bilan to'ldiradi, layer 7 hujumlar murakkabroq bo'lib, ilovalardagi zaifliklardan foydalanadi. HTTP flood va Slowloris hujumlari qatlam misollaridir 7 denial of service attacks. Ushbu hujumlarga qarshi choralar orasida tezlikni cheklash kiradi, blacklisting, and web application firewalls. Hujumlarni real vaqtda aniqlash va cheklash uchun keng qamrovli, ko'p qatlamli mudofaa strategiyasi kerak bo'lib, bunda monitoring, aniqlash, va javob berish imkoniyatlari mavjud.

Additionally, Hujumchilar o'z texnikalarini moslashtirib, aniqlashdan va xavfsizlik choralaridan qochish uchun hujumlarini moslashtirishi mumkin. Shuning uchun, tashkilotlar keng qamrovli choralarni amalga oshirishi majburiy, ko'p qatlamli mudofaa strategiyasi kerak bo'lib, bunda monitoring, aniqlash, va javob berish imkoniyatlari, hujumlarni real vaqtda tezda aniqlash va cheklash uchun. Bu zararli trafik naqshlarini aniqlash va bloklash uchun ilg'or mashina o'rganish algoritmlari va xulq-atvor tahlilidan foydalanishni o'z ichiga olishi mumkin.