• 阿里云容器服务--配置自定义路由服务应对DDOS攻击


    阿里云容器服务--配置自定义路由服务应对DDOS攻击

    摘要: 容器服务中,除了slb之外,自定义路由服务(基于HAProxy)也可以作为DDOS攻击的一道防线,本文阐述了几种方法来应对普通规模的DDOS攻击

    1. TCP洪水攻击(SYN Flood)

    ECS系统参数调整,应对TCP洪水攻击,打开文件/etc/sysctl.conf,配置如下参数

    # Protection SYN flood  
    net.ipv4.tcp_syncookies = 1  
    net.ipv4.conf.all.rp_filter = 1  
    net.ipv4.tcp_max_syn_backlog = 1024   
    

    执行如下命令,使配置文件生效

    sysctl -p
    

    2. 慢速连接攻击

    一个 Http 请求通常包括头部、url、methods 等,服务器需要接收整个 Http 请求后会做出响应。恶意用户发送缓慢的 Http 请求,比如一个字节一个字节的发送头部,服务器将一直处于 wating 状态,从而耗费服务器的资源。Haproxy 通过配置 timeout http-request 参数,当一个用户的请求时间超过设定值时,Haproxy 断开与该用户的连接。示例compose模板如下:

    lb:
        image:  registry.aliyuncs.com/acs/proxy:0.5
        ports:
                -  '80:80'
        restart:  always
        labels:
            # addon 使得proxy镜像有订阅注册中心的能力,动态加载服务的路由
            aliyun.custom_addon:  "proxy"
            # 每台vm 部署一个该镜像的容器
            aliyun.global:  "true"
            #  前端绑定SLB
            aliyun.lb.port_80: tcp://proxy_test:80
        environment:
            #  支持加载路由的后端容器的范围,"*"表示整个集群,默认为应用内的服务
            ADDITIONAL_SERVICES:  "*"
            EXTRA_DEFAULT_SETTINGS: 'timeout http-request 5s'
    appone:
        ports:
            -  80/tcp
            -  443/tcp
        image:  'registry.cn-hangzhou.aliyuncs.com/linhuatest/hello-world:latest'
        labels:
            #  此处支持http/https/ws/wss  协议
            aliyun.proxy.VIRTUAL_HOST:  "http://appone.example.com"
        restart:  always
    

    生成的HAProxy配置文件为:

    global
      log 127.0.0.1 local0
      log 127.0.0.1 local1 notice
      log-send-hostname
      maxconn 4096
      pidfile /var/run/haproxy.pid
      user haproxy
      group haproxy
      daemon
      stats socket /var/run/haproxy.stats level admin
      ssl-default-bind-options no-sslv3
      ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
    defaults
      balance roundrobin
      log global
      mode http
      option redispatch
      option httplog
      option dontlognull
      option forwardfor
      timeout connect 5000
      timeout client 50000
      timeout server 50000
      timeout http-request 5s  # 该处指令应对慢速连接攻击
    listen stats
      bind :1936
      mode http
      stats enable
      timeout connect 10s
      timeout client 1m
      timeout server 1m
      stats hide-version
      stats realm Haproxy Statistics
      stats uri /
      stats auth stats:stats
    frontend port_80
      bind :80
      reqadd X-Forwarded-Proto: http
      maxconn 4096
      acl is_websocket hdr(Upgrade) -i WebSocket
      acl host_rule_1 hdr(host) -i appone.example.com
      acl host_rule_1_port hdr(host) -i appone.example.com:80
      use_backend SERVICE_test-routing_appone if host_rule_1 or host_rule_1_port
    backend SERVICE_test-routing_appone
      server test-routing_appone_1 172.19.0.8:443 check inter 2000 rise 2 fall 3
      server test-routing_appone_1 172.19.0.8:80 check inter 2000 rise 2 fall 3
    

    通过 telnet 登录验证结果

    $ telnet 120.76.43.112 80
    Trying 120.76.43.112...
    Connected to 120.76.43.112.
    Escape character is '^]'.
    
    HTTP/1.0 408 Request Time-out
    Cache-Control: no-cache
    Connection: close
    Content-Type: text/html
    
    <html><body><h1>408 Request Time-out</h1>
    Your browser didn't send a complete request in time.
    </body></html>
    Connection closed by foreign host.
    

    3. 限制每个用户的并发连接数量

    以网站为例,普通用户访问网站,或者从网站下载东西时,浏览器一般会建立 5-7 个 TCP 链接。当一个恶意打开了大量 TCP 链接时,耗费服务器大量资源,影响其它用户的访问,因此我们需要根据实际情况,限制同一个用户的链接数。示例compose模板如下:

    lb:
        image:  registry.aliyuncs.com/acs/proxy:0.5
        ports:
                -  '80:80'
        restart:  always
        labels:
            # addon 使得proxy镜像有订阅注册中心的能力,动态加载服务的路由
            aliyun.custom_addon:  "proxy"
            # 每台vm 部署一个该镜像的容器
            aliyun.global:  "true"
            #  前端绑定SLB
            aliyun.lb.port_80: tcp://proxy_test:80
        environment:
            #  支持加载路由的后端容器的范围,"*"表示整个集群,默认为应用内的服务
            ADDITIONAL_SERVICES:  "*"
            EXTRA_DEFAULT_SETTINGS: 'timeout http-request 5s'
            EXTRA_FRONTEND_SETTINGS_80: 'stick-table type ip size 100k expire 30s store conn_cur,# Shut the new connection as long as the client has already 10 opened,tcp-request connection reject if { src_conn_cur ge 10 },tcp-request connection track-sc1 src'
    appone:
        ports:
            -  80/tcp
            -  443/tcp
        image:  'registry.cn-hangzhou.aliyuncs.com/linhuatest/hello-world:latest'
        labels:
            #  此处支持http/https/ws/wss  协议
            aliyun.proxy.VIRTUAL_HOST:  "http://appone.example.com"
        restart:  always
    

    生成的HAProxy配置文件为:

    global
      log 127.0.0.1 local0
      log 127.0.0.1 local1 notice
      log-send-hostname
      maxconn 4096
      pidfile /var/run/haproxy.pid
      user haproxy
      group haproxy
      daemon
      stats socket /var/run/haproxy.stats level admin
      ssl-default-bind-options no-sslv3
      ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
    defaults
      balance roundrobin
      log global
      mode http
      option redispatch
      option httplog
      option dontlognull
      option forwardfor
      timeout connect 5000
      timeout client 50000
      timeout server 50000
      timeout http-request 5s
    listen stats
      bind :1936
      mode http
      stats enable
      timeout connect 10s
      timeout client 1m
      timeout server 1m
      stats hide-version
      stats realm Haproxy Statistics
      stats uri /
      stats auth stats:stats
    frontend port_80
      bind :80
      reqadd X-Forwarded-Proto: http
      maxconn 4096
      stick-table type ip size 100k expire 30s store conn_cur
      # Shut the new connection as long as the client has already 10 opened
      tcp-request connection reject if { src_conn_cur ge 10 }
      tcp-request connection track-sc1 src
      acl is_websocket hdr(Upgrade) -i WebSocket
      acl host_rule_1 hdr(host) -i appone.example.com
      acl host_rule_1_port hdr(host) -i appone.example.com:80
      use_backend SERVICE_test-routing_appone if host_rule_1 or host_rule_1_port
    backend SERVICE_test-routing_appone
      server test-routing_appone_1 172.19.0.8:443 check inter 2000 rise 2 fall 3
      server test-routing_appone_1 172.19.0.8:80 check inter 2000 rise 2 fall 3
    

    利用 apache 测试工具做验证,和服务器一直保持建立 10 个链接。

    $ ab -H"host:appone.example.com" -n 5000000 -c 10 http://127.0.0.1:80/
    

    用 telnet 打开第 11 个链接,服务器拒绝该链接。

    $ telnet 127.0.0.1 80
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '^]'.
    Connection closed by foreign host.
    

    4. 限制每个用户建立连接速度

    仅仅限制单个用户的并发链接数并意味着万事大吉,如果用户在短时间内向服务器不断的发送建立和关闭链接请求,也会耗费服务器资源,影响服务器端的性能,因此需要控制单个用户的访问速率。
    通常情况下,考虑到用户通过浏览器一般会建立 5-7 条 TCP 链接,我们可以认为普通用户在 3 秒内不应该建立超过 10 条链接。示例compose模板如下:

    lb:
        image:  registry.aliyuncs.com/acs/proxy:0.5
        ports:
                -  '80:80'
        restart:  always
        labels:
            # addon 使得proxy镜像有订阅注册中心的能力,动态加载服务的路由
            aliyun.custom_addon:  "proxy"
            # 每台vm 部署一个该镜像的容器
            aliyun.global:  "true"
            #  前端绑定SLB
            aliyun.lb.port_80: tcp://proxy_test:80
        environment:
            #  支持加载路由的后端容器的范围,"*"表示整个集群,默认为应用内的服务
            ADDITIONAL_SERVICES:  "*"
            EXTRA_DEFAULT_SETTINGS: 'timeout http-request 5s'
            EXTRA_FRONTEND_SETTINGS_80: '# Table definition,stick-table type ip size 100k expire 30s store conn_rate(3s),# Shut the new connection as long as the client has already 10 opened,tcp-request connection reject if { src_conn_rate ge 10 },tcp-request connection track-sc1 src'
    appone:
        ports:
            -  80/tcp
            -  443/tcp
        image:  'registry.cn-hangzhou.aliyuncs.com/linhuatest/hello-world:latest'
        labels:
            #  此处支持http/https/ws/wss  协议
            aliyun.proxy.VIRTUAL_HOST:  "http://appone.example.com"
        restart:  always
    

    生成的配置为:

    global
      log 127.0.0.1 local0
      log 127.0.0.1 local1 notice
      log-send-hostname
      maxconn 4096
      pidfile /var/run/haproxy.pid
      user haproxy
      group haproxy
      daemon
      stats socket /var/run/haproxy.stats level admin
      ssl-default-bind-options no-sslv3
      ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
    defaults
      balance roundrobin
      log global
      mode http
      option redispatch
      option httplog
      option dontlognull
      option forwardfor
      timeout connect 5000
      timeout client 50000
      timeout server 50000
      timeout http-request 5s
    listen stats
      bind :1936
      mode http
      stats enable
      timeout connect 10s
      timeout client 1m
      timeout server 1m
      stats hide-version
      stats realm Haproxy Statistics
      stats uri /
      stats auth stats:stats
    frontend port_80
      bind :80
      reqadd X-Forwarded-Proto: http
      maxconn 4096
      # Table definition
      stick-table type ip size 100k expire 30s store conn_rate(3s)
      # Shut the new connection as long as the client has already 10 opened
      tcp-request connection reject if { src_conn_rate ge 10 }
      tcp-request connection track-sc1 src
      acl is_websocket hdr(Upgrade) -i WebSocket
      acl host_rule_1 hdr(host) -i appone.example.com
      acl host_rule_1_port hdr(host) -i appone.example.com:80
      use_backend SERVICE_test-routing_appone if host_rule_1 or host_rule_1_port
    backend SERVICE_test-routing_appone
      server test-routing_appone_1 172.19.0.8:443 check inter 2000 rise 2 fall 3
      server test-routing_appone_1 172.19.0.8:80 check inter 2000 rise 2 fall 3
    

    测试,采用 ab 打开 10 个链接。

    $ ab -n 10 -c 1 -r http://127.0.0.1:8080/
    

    再用 telnet 打开第 11 个链接,服务器拒绝该请求。

    $ telnet 127.0.0.1 80
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '^]'.
    Connection closed by foreign host.
    
  • 相关阅读:
    FIND-S:寻找极大特殊假设
    XPath实例教程
    XML:四种解析器(dom,sax,jdom,dom4j)原理及性能比较
    XML文件解析之--DOM与SAX
    JAVA中内部类(匿名内部类)访问的局部变量为什么要用final修饰?
    java中的匿名内部类总结
    java中的new BufferedReader(new InputStreamReader(System.in))
    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    区分XML中CDATA和#PCDATA
    浅谈get 和post的区别
  • 原文地址:https://www.cnblogs.com/scotth/p/6007768.html
Copyright © 2020-2023  润新知