12:30 Malignant and ddos ??protection | |
With one of my projects has occurred an interesting story, want to share with you, can someone, it seems interesting. Since my project are often tortured DDOS'om, it was decided to transfer him under HighLoad Lab, which provide free protection from DDOS-attacks. Everything was super, they are proxied traffic through itself to our server. We have a server were blocked all incoming Ip-addresses except HighLoad'a. IssueBut on the night of November 13-14, the server was terribly slow, I could not understand why: the load was not, iptables do not accept, but the brakes were visible even under ssh. Day of the server crashed. The reason I did not know and the first thing that occurred to me - an old kernel slackwar'y, which have not been updated. It was decided to go to Krasnogorsk, office Redneta and rearrange the system straight from the tin on Debian, but it was not like I planned ... ReasonAs I went through in the mind of the possible reasons, the phone rang. On the wire was the chief administrator krasnogorsk.ru. He said that the accident occurred due to DDOS-attack, which took place at the time of replacement of equipment when the system of protection and treatment have been disabled. Since our server was at the home provider, it will be the first client traffic (regular Internet users) noticed the attack on the main site COMCOR'a and cut off our IP-address. At the peak of the attack reached 300 Mbps. Why not save the filters HighLoad'a?Attackers knew our old IP-address and the attack was carried out specifically to him, bypassing treatment systems, traffic, and of course, no iptables to block all mode does not help. Summaryserver is now moved to an unknown nobody IP, traffic goes through HighLoad Lab, set up a web server mail through Gmail, but all outbound connections to download the avatars on the links disabled because an attacker could upload an image from your server and see our new IP. It is about the scheme:The query user -> external ip antiddos server -> cleaning system traffic -> to nginx -> cleared traffic arrives on our server -> nginx -> apache -> and back to the user on the same chain. The most important thing is not to burn down an attacker to the real IP address of a web server. Assistance in preparing and editing: as3k:) | |
|
Total comments: 0 | |