Názor ke zprávičce CSIRT.CZ vydává doporučení pro správce webů od Jan Garaj - Alebo staci dat webhosting na ten spravny webhosting,...
-
Alebo staci dat webhosting na ten spravny webhosting, aby mali "anonymni" moralnu dilemu http://t.co/8gHO1gSn
Suhlasim s radami CSIRTu. Nepoznam presne pocet request/sec, IMHO s pripravou dopredu a so znamymi stress testami infrastruktury sa da zvladnut nebotnetovy utok cesko/slovenskych anonymakov v pohode.
Stress test tunovaneho nginxa (pouzivajuceho svoju cache v RAM):
Transactions: 900 hits
Availability: 100.00 %
Elapsed time: 1.45 secs
Data transferred: 6.06 MB
Response time: 0.05 secs
Transaction rate: 620.69 trans/sec
Throughput: 4.18 MB/sec
Concurrency: 28.55
Successful transactions: 900
Failed transactions: 0
Longest transaction: 0.12
Shortest transaction: 0.01Pre porovnanie standardny nginx (vsetko ide na backend, web aplikacia napisana stylom Joomla, Drupal, ...):
Transactions: 900 hits
Availability: 100.00 %
Elapsed time: 74.14 secs
Data transferred: 8.82 MB
Response time: 2.33 secs
Transaction rate: 12.14 trans/sec
Throughput: 0.12 MB/sec
Concurrency: 28.16
Successful transactions: 900
Failed transactions: 0
Longest transaction: 8.42
Shortest transaction: 0.35Pocitajme teda ze z jedneho webservera vieme vytiahnut 600trans/s pri konkurencii 30. Uz len odhadnut na kolko sa mame pripravit a podla toho vytvorit dany pocet tunenych instancii webserverov v roznych lokalitach a balancovat to napr. cez DNS roundrobin (co samozrejme nie je to dokonaly balancing, ale lepsi ako ziadny).
IMHO 10 instancii webserverov na SK/CZ nebotnetove pomery by malo bohate stacit, t.j.malo by to zvladnut v optimistickom pripade 6000trans/sec pri c=300+ pridat spravne pravidla do FW http://serverfault.com/questions/211135/how-to-prevent-a-loic-ddos-attack
Aj za vsetkych tychto opatreni, je vsak mozne zautocit. Na co sa vsak zamerat, to uz skript kiddies neporadim :-P
