阿里云容器服务--配置自定义路由服务应对DDOS攻击

摘要：容器服务中，除了slb之外，自定义路由服务（基于HAProxy）也可以作为DDOS攻击的一道防线，本文阐述了几种方法来应对普通规模的DDOS攻击

1. TCP洪水攻击（SYN Flood）

ECS系统参数调整，应对TCP洪水攻击，打开文件/etc/sysctl.conf，配置如下参数

 # Protection SYN flood  
net.ipv4.tcp_syncookies = 1  
net.ipv4.conf.all.rp_filter = 1  
net.ipv4.tcp_max_syn_backlog = 1024

执行如下命令，使配置文件生效

 sysctl -p

2. 慢速连接攻击

一个 Http 请求通常包括头部、url、methods 等，服务器需要接收整个 Http 请求后会做出响应。恶意用户发送缓慢的 Http 请求，比如一个字节一个字节的发送头部，服务器将一直处于 wating 状态，从而耗费服务器的资源。Haproxy 通过配置 timeout http-request 参数，当一个用户的请求时间超过设定值时，Haproxy 断开与该用户的连接。示例compose模板如下：

 lb:
    image:  registry.aliyuncs.com/acs/proxy:0.5
    ports:
            -  '80:80'
    restart:  always
    labels:
        # addon 使得proxy镜像有订阅注册中心的能力，动态加载服务的路由
        aliyun.custom_addon:  "proxy"
        # 每台vm 部署一个该镜像的容器
        aliyun.global:  "true"
        #  前端绑定SLB
        aliyun.lb.port_80: tcp://proxy_test:80
    environment:
        #  支持加载路由的后端容器的范围，"*"表示整个集群，默认为应用内的服务
        ADDITIONAL_SERVICES:  "*"
        EXTRA_DEFAULT_SETTINGS: 'timeout http-request 5s'
appone:
    ports:
        -  80/tcp
        -  443/tcp
    image:  'registry.cn-hangzhou.aliyuncs.com/linhuatest/hello-world:latest'
    labels:
        #  此处支持http/https/ws/wss  协议
        aliyun.proxy.VIRTUAL_HOST:  "http://appone.example.com"
    restart:  always

生成的HAProxy配置文件为：

 global
  log 127.0.0.1 local0
  log 127.0.0.1 local1 notice
  log-send-hostname
  maxconn 4096
  pidfile /var/run/haproxy.pid
  user haproxy
  group haproxy
  daemon
  stats socket /var/run/haproxy.stats level admin
  ssl-default-bind-options no-sslv3
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
defaults
  balance roundrobin
  log global
  mode http
  option redispatch
  option httplog
  option dontlognull
  option forwardfor
  timeout connect 5000
  timeout client 50000
  timeout server 50000
  timeout http-request 5s  # 该处指令应对慢速连接攻击
listen stats
  bind :1936
  mode http
  stats enable
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  stats hide-version
  stats realm Haproxy\ Statistics
  stats uri /
  stats auth stats:stats
frontend port_80
  bind :80
  reqadd X-Forwarded-Proto:\ http
  maxconn 4096
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl host_rule_1 hdr(host) -i appone.example.com
  acl host_rule_1_port hdr(host) -i appone.example.com:80
  use_backend SERVICE_test-routing_appone if host_rule_1 or host_rule_1_port
backend SERVICE_test-routing_appone
  server test-routing_appone_1 172.19.0.8:443 check inter 2000 rise 2 fall 3
  server test-routing_appone_1 172.19.0.8:80 check inter 2000 rise 2 fall 3

通过 telnet 登录验证结果

 $ telnet 120.76.43.112 80
Trying 120.76.43.112...
Connected to 120.76.43.112.
Escape character is '^]'.
 
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
 
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
Connection closed by foreign host.

3. 限制每个用户的并发连接数量

以网站为例，普通用户访问网站，或者从网站下载东西时，浏览器一般会建立 5-7 个 TCP 链接。当一个恶意打开了大量 TCP 链接时，耗费服务器大量资源，影响其它用户的访问，因此我们需要根据实际情况，限制同一个用户的链接数。示例compose模板如下：

 lb:
    image:  registry.aliyuncs.com/acs/proxy:0.5
    ports:
            -  '80:80'
    restart:  always
    labels:
        # addon 使得proxy镜像有订阅注册中心的能力，动态加载服务的路由
        aliyun.custom_addon:  "proxy"
        # 每台vm 部署一个该镜像的容器
        aliyun.global:  "true"
        #  前端绑定SLB
        aliyun.lb.port_80: tcp://proxy_test:80
    environment:
        #  支持加载路由的后端容器的范围，"*"表示整个集群，默认为应用内的服务
        ADDITIONAL_SERVICES:  "*"
        EXTRA_DEFAULT_SETTINGS: 'timeout http-request 5s'
        EXTRA_FRONTEND_SETTINGS_80: 'stick-table type ip size 100k expire 30s store conn_cur,# Shut the new connection as long as the client has already 10 opened,tcp-request connection reject if { src_conn_cur ge 10 },tcp-request connection track-sc1 src'
appone:
    ports:
        -  80/tcp
        -  443/tcp
    image:  'registry.cn-hangzhou.aliyuncs.com/linhuatest/hello-world:latest'
    labels:
        #  此处支持http/https/ws/wss  协议
        aliyun.proxy.VIRTUAL_HOST:  "http://appone.example.com"
    restart:  always

生成的HAProxy配置文件为：

 global
  log 127.0.0.1 local0
  log 127.0.0.1 local1 notice
  log-send-hostname
  maxconn 4096
  pidfile /var/run/haproxy.pid
  user haproxy
  group haproxy
  daemon
  stats socket /var/run/haproxy.stats level admin
  ssl-default-bind-options no-sslv3
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
defaults
  balance roundrobin
  log global
  mode http
  option redispatch
  option httplog
  option dontlognull
  option forwardfor
  timeout connect 5000
  timeout client 50000
  timeout server 50000
  timeout http-request 5s
listen stats
  bind :1936
  mode http
  stats enable
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  stats hide-version
  stats realm Haproxy\ Statistics
  stats uri /
  stats auth stats:stats
frontend port_80
  bind :80
  reqadd X-Forwarded-Proto:\ http
  maxconn 4096
  stick-table type ip size 100k expire 30s store conn_cur
  # Shut the new connection as long as the client has already 10 opened
  tcp-request connection reject if { src_conn_cur ge 10 }
  tcp-request connection track-sc1 src
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl host_rule_1 hdr(host) -i appone.example.com
  acl host_rule_1_port hdr(host) -i appone.example.com:80
  use_backend SERVICE_test-routing_appone if host_rule_1 or host_rule_1_port
backend SERVICE_test-routing_appone
  server test-routing_appone_1 172.19.0.8:443 check inter 2000 rise 2 fall 3
  server test-routing_appone_1 172.19.0.8:80 check inter 2000 rise 2 fall 3

利用 apache 测试工具做验证，和服务器一直保持建立 10 个链接。

 $ ab -H"host:appone.example.com" -n 5000000 -c 10 http://127.0.0.1:80/

用 telnet 打开第 11 个链接，服务器拒绝该链接。

 $ telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

4. 限制每个用户建立连接速度

仅仅限制单个用户的并发链接数并意味着万事大吉，如果用户在短时间内向服务器不断的发送建立和关闭链接请求，也会耗费服务器资源，影响服务器端的性能，因此需要控制单个用户的访问速率。
通常情况下，考虑到用户通过浏览器一般会建立 5-7 条 TCP 链接，我们可以认为普通用户在 3 秒内不应该建立超过 10 条链接。示例compose模板如下：

 lb:
    image:  registry.aliyuncs.com/acs/proxy:0.5
    ports:
            -  '80:80'
    restart:  always
    labels:
        # addon 使得proxy镜像有订阅注册中心的能力，动态加载服务的路由
        aliyun.custom_addon:  "proxy"
        # 每台vm 部署一个该镜像的容器
        aliyun.global:  "true"
        #  前端绑定SLB
        aliyun.lb.port_80: tcp://proxy_test:80
    environment:
        #  支持加载路由的后端容器的范围，"*"表示整个集群，默认为应用内的服务
        ADDITIONAL_SERVICES:  "*"
        EXTRA_DEFAULT_SETTINGS: 'timeout http-request 5s'
        EXTRA_FRONTEND_SETTINGS_80: '# Table definition,stick-table type ip size 100k expire 30s store conn_rate(3s),# Shut the new connection as long as the client has already 10 opened,tcp-request connection reject if { src_conn_rate ge 10 },tcp-request connection track-sc1 src'
appone:
    ports:
        -  80/tcp
        -  443/tcp
    image:  'registry.cn-hangzhou.aliyuncs.com/linhuatest/hello-world:latest'
    labels:
        #  此处支持http/https/ws/wss  协议
        aliyun.proxy.VIRTUAL_HOST:  "http://appone.example.com"
    restart:  always

生成的配置为：

 global
  log 127.0.0.1 local0
  log 127.0.0.1 local1 notice
  log-send-hostname
  maxconn 4096
  pidfile /var/run/haproxy.pid
  user haproxy
  group haproxy
  daemon
  stats socket /var/run/haproxy.stats level admin
  ssl-default-bind-options no-sslv3
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
defaults
  balance roundrobin
  log global
  mode http
  option redispatch
  option httplog
  option dontlognull
  option forwardfor
  timeout connect 5000
  timeout client 50000
  timeout server 50000
  timeout http-request 5s
listen stats
  bind :1936
  mode http
  stats enable
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  stats hide-version
  stats realm Haproxy\ Statistics
  stats uri /
  stats auth stats:stats
frontend port_80
  bind :80
  reqadd X-Forwarded-Proto:\ http
  maxconn 4096
  # Table definition
  stick-table type ip size 100k expire 30s store conn_rate(3s)
  # Shut the new connection as long as the client has already 10 opened
  tcp-request connection reject if { src_conn_rate ge 10 }
  tcp-request connection track-sc1 src
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl host_rule_1 hdr(host) -i appone.example.com
  acl host_rule_1_port hdr(host) -i appone.example.com:80
  use_backend SERVICE_test-routing_appone if host_rule_1 or host_rule_1_port
backend SERVICE_test-routing_appone
  server test-routing_appone_1 172.19.0.8:443 check inter 2000 rise 2 fall 3
  server test-routing_appone_1 172.19.0.8:80 check inter 2000 rise 2 fall 3

测试，采用 ab 打开 10 个链接。

 $ ab -n 10 -c 1 -r http://127.0.0.1:8080/

再用 telnet 打开第 11 个链接，服务器拒绝该请求。

 $ telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

posted @ 2016-10-28 14:40 scott_h 阅读(822) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

scott_h

阿里云容器服务--配置自定义路由服务应对DDOS攻击

1. TCP洪水攻击（SYN Flood）

2. 慢速连接攻击

3. 限制每个用户的并发连接数量

4. 限制每个用户建立连接速度

公告

合集

随笔分类

随笔档案

最新评论

	# Protection SYN flood
	net.ipv4.tcp_syncookies = 1
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.tcp_max_syn_backlog = 1024

	lb:
	image: registry.aliyuncs.com/acs/proxy:0.5
	ports:
	- '80:80'
	restart: always
	labels:
	# addon 使得proxy镜像有订阅注册中心的能力，动态加载服务的路由
	aliyun.custom_addon: "proxy"
	# 每台vm 部署一个该镜像的容器
	aliyun.global: "true"
	# 前端绑定SLB
	aliyun.lb.port_80: tcp://proxy_test:80
	environment:
	# 支持加载路由的后端容器的范围，"*"表示整个集群，默认为应用内的服务
	ADDITIONAL_SERVICES: "*"
	EXTRA_DEFAULT_SETTINGS: 'timeout http-request 5s'
	appone:
	ports:
	- 80/tcp
	- 443/tcp
	image: 'registry.cn-hangzhou.aliyuncs.com/linhuatest/hello-world:latest'
	labels:
	# 此处支持http/https/ws/wss 协议
	aliyun.proxy.VIRTUAL_HOST: "http://appone.example.com"
	restart: always

	global
	log 127.0.0.1 local0
	log 127.0.0.1 local1 notice
	log-send-hostname
	maxconn 4096
	pidfile /var/run/haproxy.pid
	user haproxy
	group haproxy
	daemon
	stats socket /var/run/haproxy.stats level admin
	ssl-default-bind-options no-sslv3
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
	defaults
	balance roundrobin
	log global
	mode http
	option redispatch
	option httplog
	option dontlognull
	option forwardfor
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	timeout http-request 5s # 该处指令应对慢速连接攻击
	listen stats
	bind :1936
	mode http
	stats enable
	timeout connect 10s
	timeout client 1m
	timeout server 1m
	stats hide-version
	stats realm Haproxy\ Statistics
	stats uri /
	stats auth stats:stats
	frontend port_80
	bind :80
	reqadd X-Forwarded-Proto:\ http
	maxconn 4096
	acl is_websocket hdr(Upgrade) -i WebSocket
	acl host_rule_1 hdr(host) -i appone.example.com
	acl host_rule_1_port hdr(host) -i appone.example.com:80
	use_backend SERVICE_test-routing_appone if host_rule_1 or host_rule_1_port
	backend SERVICE_test-routing_appone
	server test-routing_appone_1 172.19.0.8:443 check inter 2000 rise 2 fall 3
	server test-routing_appone_1 172.19.0.8:80 check inter 2000 rise 2 fall 3

	$ telnet 120.76.43.112 80
	Trying 120.76.43.112...
	Connected to 120.76.43.112.
	Escape character is '^]'.

	HTTP/1.0 408 Request Time-out
	Cache-Control: no-cache
	Connection: close
	Content-Type: text/html

	<html><body><h1>408 Request Time-out</h1>
	Your browser didn't send a complete request in time.
	</body></html>
	Connection closed by foreign host.

	$ telnet 127.0.0.1 80
	Trying 127.0.0.1...
	Connected to 127.0.0.1.
	Escape character is '^]'.
	Connection closed by foreign host.