GH GambleHub

DDoS himoyasi va paketlarni filtrlash

1) Nima uchun bu zarur?

DDoS - bu resurslarning «ommaviy degradatsiyasi»: chiziq/pps, holat jadvallari, yadro CPU/IRQ, ulanish pullari, ilovalar limitlari. Maqsad himoyani tabaqalashtirishdir: tarmoqning perimetri bo’ylab hajmni o’chirish, protokol anomaliyalarini TCP/IP stekigacha zararsizlantirish va qonuniy foydalanuvchilar uchun SLOni saqlab qolgan holda L7 da noxush so’rovlarni kesib tashlashdir.

2) Hujumlar klasslari

2. 1 L3/L4 (volumetric/protocol)

Volumetric: UDP flood, UDP-reflection/amplification (DNS/CLDAP/NTP/SSDP/memcached/mDNS), GRE flood.
Protocol/state exhaustion: SYN flood, ACK/RST flood, TCP connection-exhaustion, ICMP flood, TCP fragmentation.
QUIC/UDP xususiyatlari: soxta Initial/Retry bo’ronlar, spoofed source.

2. 2 L7 (application)

HTTP/1. 1: qimmatbaho marshrutlar uchun so’rovlar, header oversize/field smuggling.
HTTP/2: Rapid Reset, stream-flood, HEADERS flood, PRIORITY abuse.
HTTP/3 (QUIC): tugallanmagan ulanishlar/oqimlar, Initial flood.
Slow-атаки: slowloris/slow-read/slow-POST.
gRPC/WebSocket: cheksiz oqimlar, message-flood, katta ramkalar.

3) Himoyaning bazaviy arxitekturasi

1. Anycast + Scrubbing

Trafikni global miqyosda purkash va provayder scrubbing markazlari orqali haydash (chetida volumetric/spufing kesish).

2. Multi-CDN / Multi-Edge

Domenlarni tarqatish (veb, API, statika), o’qish yuklamasi uchun himoya va kesh agregatsiyasi.

3. O’z perimetridagi past darajali filtrlar

border-yo’naltirgichlarda ACL (RFC1918, bogon, bila turib yolg’on portlar).
eBPF/XDP uchun early-drop signatura va rate-limitlar bo’yicha conntrackgacha.

4. L7-perimetr (NGINX/Envoy/WAF)

RPSni kalit, challenge (captcha/PoW), kesh, «qimmat» yo’llar bo’yicha siqish.

5. Ichki barqarorlik

Ulanish pullari, navbatlar, circuit/timeout, xizmatlarni izolyatsiya qilish (bulkhead) va autoscaling (shedder).

4) Tarmoq «klapanlari»: darhol nimani yoqish kerak

4. 1 Linux sysctl (yadro/stek)

bash
TCP SYN flood sysctl -w net. ipv4. tcp_syncookies=1 sysctl -w net. ipv4. tcp_max_syn_backlog=4096 sysctl -w net. ipv4. tcp_synack_retries=3

Conntrack/sysctl -w net tables. netfilter. nf_conntrack_max=262144 sysctl -w net. netfilter. nf_conntrack_tcp_timeout_established=300

ICMP/redirect sysctl -w net. ipv4. icmp_echo_ignore_broadcasts=1 sysctl -w net. ipv4. conf. all. accept_redirects=0 sysctl -w net. ipv4. conf. all. send_redirects=0

sysctl -w net socket resources. core. somaxconn=4096 sysctl -w net. core. netdev_max_backlog=250000 sysctl -w net. core. rmem_max=134217728 sysctl -w net. core. wmem_max=134217728

4. 2 nftables: bazaviy filtrlar va paketlardagi ratelimit

nft table inet filter {
sets {
bogon { type ipv4_addr; flags interval; elements = { 0. 0. 0. 0/8, 10. 0. 0. 0/8, 100. 64. 0. 0/10,
127. 0. 0. 0/8, 169. 254. 0. 0/16, 172. 16. 0. 0/12, 192. 0. 2. 0/24, 192. 168. 0. 0/16, 198. 18. 0. 0/15, 224. 0. 0. 0/4 } }
}
chains {
input {
type filter hook input priority 0; policy drop;
ip saddr @bogon drop ct state established,related accept

UDP amplification ports - limit pps udp dport {53,123,1900,11211,389,1900,5353} limit rate over 2000/second drop

SYN rate-limit tcp flags syn tcp dport {80,443} limit rate over 2000/second drop

ICMP flood ip protocol icmp limit rate 100/second accept
}
}
}

4. 3 XDP/eBPF (g’oya)

Spoofed manbali Early-drop paketlar (uRPF marshrutizatorda qabul qilinadi).
xesh-baketlar pps per/32 va per/24; manbalarning dinamik «karantini».
Kirish uchun UDP-reflection: DNS response-like imzolari (kontekstdan tashqari filtrlash).

5) UDP amplification: inventar va bloklar

Tez-tez ishlatiladigan reflektorlar/kuchaytirgichlar: DNS (open resolvers), NTP (monlist), CLDAP, SSDP, mDNS, Memcached (UDP), Chargen.

Chora-tadbirlar:
  • UDP xizmatlarini yopish/cheklash, ochiq portlarni minimallashtirish.
  • Perimetr bo’yicha ma’lum portlar uchun pps/bitreytni cheklash.
  • DNS tavsiyasi: faqat o’z tarmoqlari uchun rekursiv, RRL (Response Rate Limiting), ANYni minimallashtirish.
  • NTP - faqat ishonchli uchun «butstrap», ommaviy uchun «noquery».

6) TCP state exhaustion

SYN flood:’tcp _ syncookies = 1’, yuqori’tcp _ max _ syn _ backlog’,’synack _ retries = 3’, pps boʻyicha drop.
ACK/RST flood: past darajali limitlar, nftables/ebpf.
Borderda conntrack-less: stateless-signatura bilan filtrlash mumkin boʻlgan holatlar jadvalini sarflamang.

7) HTTP/2/3 va «aqlli» L7 hujumlari

HTTP/2 Rapid Reset: RST-freymlar chastotasi va ochiq oqimlar soni limiti; anomaliyalarda ulanishni yopish.
Stream abuse: лимит concurrent streams, headers size, max frame size.
QUIC/HTTP/3: Initial pps ni cheklash, Retry ni yoqish; qisqa vaqtlar handshake.

NGINX (L7 fragmenti)

nginx
Header/body constraint client_max_body_size 1m;
large_client_header_buffers 4 8k;

HTTP/2 limits http2_max_concurrent_streams 128;
http2_recv_buffer_size 256k;

Rate limit by IP (example)
limit_req_zone $binary_remote_addr zone=reqs:20m rate=100r/s;
limit_req zone=reqs burst=200 nodelay;

Envoy (anti-reset va limitlar)

yaml http2_protocol_options:
max_concurrent_streams: 128 initial_stream_window_size: 65536 max_outbound_frames: 10000 stream_error_on_invalid_http_messaging: true

8) Slow-hujumlar va resurs himoyasi

Slowloris/slow-read/slow-POST:’proxy _ request _ buffering on’, past idle-timeout, minimal maqbul’read _ rate’ni yoqing.
Soʻrov oraligʻida ulanishni toʻxtatish.
Ilovada - tanani erta o’qish/tashlash, JSON o’lchami/chuqurligi chegaralari.

9) L7 filtrlash: kim muhimroq - o’tsin

Trafikning tasnifi: known good (mTLS/JWT hamkorlari), roʻyxatdan oʻtgan foydalanuvchilar, anonim.
Ustuvorliklar: «qimmat» write-yo’nalishlar (depozitlar/xulosalar) - tasdiqlanganlarni himoya qilish, lekin o’tkazib yuborish; read-kataloglar - kesh + throttle.
Challenge qatlami: captcha/PoW/JS - cho’qqida kulrang zonalar uchun challenglar.

10) Kesh, coalescing va degradatsiya

Statik/kvazistik javoblar uchun Edge-kesh,’stale-while-revalidate’.
Request coalescing: proxy va ilovada bitta kalitga parallel soʻrovlarni yopish.
Degrade rejimi: ikkinchi darajali fichlarni oʻchirish (shaxsiylashtirish, ogʻir hisobotlar), «yengil» sahifalarni berish.

11) Kuzatish va telemetriya

Metrika (per ROR/uzel/klaster):
  • L3/L4: `pps_in/out`, `bps_in/out`, `drop_pps{reason}`, `syn_recv`, `conntrack_used/limit`, `xdp_drop_pps`.
  • L7: `requests_total{route}`, `429_total`, `challenge_total{type}`, `h2_rst_rate`, `slow_req_total`.
  • Bog’liqlik: CPU IRQ soft/hard, NIC queue drops, run-queue length.

Logi: samplirovannыe, po/24 agregirovannыe, ASN, portы i signaturы; PIIsiz.
Treysing: Oq ro’yxatga kiritish, samplingni tuzatish uchun avariya holatida kengaytirish.

12) Harakat rejalari (runbook)

1. Detekt: pps/bps/429/h2_rst_rate ostonalarining ishlashi.
2. Tasniflash: daraja (L3/4/7), protokol (UDP/TCP/h2/h3), geo/ASN.

3. Klapanlar:
  • scrubbing/blackhole profillarini provayderga kiritish,
  • nftables/ebpf limitlarini kuchaytirish,
  • L7-limitlarni pasaytirish va challenjlarni oshirish,
  • QUIC (Initial flood) uchun Retry qoʻshish.
  • 4. Kommunikatsiyalar: status-sahifa, sheriklarga xabarnoma shablonlari.
  • 5. Forenzika: PCAPni 60-120 sek olish, top talkers ASNs/ports.
  • 6. Retrospektiv: signaturalar, chegaralar, aks ettirgichlar ro’yxatini yangilash.

13) Test sinovlari va o’quv mashg’ulotlari

DDoS-drill pleybuklari har chorakda: sintetik UDP/HTTP burstlari, slow-trafik, HTTP/2 reset.
Game day: Anycast almashtirish/CDN o’rtasida migratsiya, «engil» rejimgacha buzilish.
Provayderning verifikatsiyasi: SLA scrubbing, filtrni yoqish/oʻchirish vaqti, max pps/bps.

14) Antipatternlar

Faqat volumetrik hujumda L7-WAF tayanish.
Borderda uRPF/ACL yo’qligi va «peshonaga» conntrack-heavy filtrlash.
Cheksiz sarlavhalar/tanalar va cho’qqida uzun keep-alive.
Anycast/multi-edge.
NIC/IRQ/CPU bo’yicha zaxiralar va navbatlar monitoringi yo’qligi.
Hech qanday kesh/koalitesing - ortiqcha RPS.

15) iGaming/Moliya xususiyatlari

Vaqtinchalik cho’qqilar (o’yinlar/derbi/loto o’yinlar): POP sig’imini oldindan kengaytirish, koeffitsiyentlarning tajovuzkor keshini yoqish, anonim nomlar uchun canary-challenglar o’tkazish.
To’lov/chiqarish yo’nalishlari: mTLS bilan alohida edge-pool, qisqa taymautlar, raqobatbardoshlik limitlari; hech qanday 0-RTT.
Geo-siyosatchilar: mintaqaviy allow-laystlar, «xostinglar» ni ASN-filtrlash, tezkor geo-almashtirish.
Antifrod bilan kesishish: velocity-limitlar va Risk API DDoS hodisasida «qattiq» profilga o’tadi.

16) Prod-tayyorlik chek-varaqasi

  • Anycast или multi-edge/CDN; scrubbing kanallari tekshirildi.
  • Border-ACL/uRPF; nftables/ebpf/XDP profillari, conntrack-less filtrlash.
  • Sysctl-tuning TCP/SYN, limity pps UDP kuchaytirgich portlari uchun.
  • HTTP/2/3 limitlar (streams, frames, headers), slow-himoya, body/header-limits.
  • L7-limitlar va challenge; perimetrda kesh va coalescing.
  • Dashbordlar pps/bps/conntrack/IRQ + L7 RED; h2_rst/429 anomaliyasidagi alertlar.
  • Runbook/pleybuklar, provayder aloqalari, profillarni kiritish uchun one-click.
  • Ta’limotlar: burstlar, slow, HTTP/2 reset; yaxshilashlarning hisoboti va qayd etilishi.
  • To’lov/tanqidiy yo’nalishlar uchun ajratilgan pullar, mTLS va qat’iy limitlar.

17) TL; DR

Himoyani qatlamlang: Anycast + scrubbing hajmni o’chiradi, eBPF/XDP + nftables axlatni stekgacha kesadi, L7 limitlari/challenges/kesh SLAni saqlab qoladi. TCP (SYN cookies, backlog) ni sozlang, UDP kuchaytirgichlarini cheklang, HTTP/2/3 va slow himoya chegaralarini belgilang. Runbook’ga ega bo’ling va uni mashq qiling; iGaming uchun - edge-ni eng yuqori soatlarda oldindan kengaytiring va to’lov yo’llarini mTLS va qattiq limitlar bilan ajrating.

Contact

Biz bilan bog‘laning

Har qanday savol yoki yordam bo‘yicha bizga murojaat qiling.Doimo yordam berishga tayyormiz.

Telegram
@Gamble_GC
Integratsiyani boshlash

Email — majburiy. Telegram yoki WhatsApp — ixtiyoriy.

Ismingiz ixtiyoriy
Email ixtiyoriy
Mavzu ixtiyoriy
Xabar ixtiyoriy
Telegram ixtiyoriy
@
Agar Telegram qoldirilgan bo‘lsa — javob Email bilan birga o‘sha yerga ham yuboriladi.
WhatsApp ixtiyoriy
Format: mamlakat kodi va raqam (masalan, +998XXXXXXXX).

Yuborish orqali ma'lumotlaringiz qayta ishlanishiga rozilik bildirasiz.