Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Simple solution CC attack under Linux VPS     - WordPress blog installation Redis Cache (Server)

- Linux redirection and piping (Linux)

- Ubuntu 14.04 set auto sleep time (Linux)

- Linux input and output redirection (Linux)

- Broadcom transplanted to OpenWrt summary (Programming)

- Java objects to garbage collection (Programming)

- Windows 8.1 hard drive to install Ubuntu 14.04 dual system reference tutorials and multi-drive Precautions (Linux)

- How to identify memory leaks in Java (Programming)

- Create the container and run the application Docker (Server)

- Memcached distributed caching (Server)

- How to build Memcached Docker container (Server)

- Oracle 10046 Event (Database)

- MongoDB3.0.x version of the user authorization profile (stand-alone environment) (Database)

- Database start listening TNS-12537, TNS-12560 error (Database)

- Ubuntu 14.04 installed VirtualBox 4.3 appears vboxdrv: Unknown symbol mcount (Linux)

- Setting Wetty do not need an account login command line operations (Linux)

- Update GAMIT10.6 command (Linux)

- How to recover deleted files in Linux systems (Linux)

- When Vim create Python scripts, vim autocomplete interpreter and encoding method (Programming)

- LinkedList Basic Usage (Programming)

 
         
  Simple solution CC attack under Linux VPS
     
  Add Date : 2018-11-21      
         
         
         
  One: What is CC attack?
CC attack is to use a large number of the proxy server on the target computer to initiate a large number of connections, causes the target server resource exhaustion denial of service.
Attacks: CC is used to attack the main page. We have such experience, that is, when you visit the forum, if this forum larger, more access to people, open the page may be slow, is not it? ! In general, access to more people, the more the forum page, the larger the database, the higher the frequency is accessed, the system will take up considerable resources, space now know why many service providers say that we should not upload forum , chat rooms and other things instead.
A static page does not require much server resources can even say directly read out from the memory can be sent to you, but not the same forum, I see a message, the system needs to the database to determine whether I have read posts authority, if any, attending a post inside the content displayed - here at least 2 times a database access, if the volume has a 200MB database size, the system looks likely to 200MB in size of the data space this search again, this requires much of CPU resources and time? If I were to find a keyword, then the time is even more impressive, because the previous search can be limited to a small range, such as user rights only to check the user table, post the contents only check posts table, and can be found immediately stop the inquiry , and search all data will certainly be a judge, the time consumed is quite large.

CC is to make full use of this feature to simulate multiple users (the number of threads is the number of users) non-stop access (access operations that require large amounts of data, that requires a lot of CPU time of the page). Many of my friends asked, why use a proxy it? Because the agent can effectively hide their identities, you can bypass all firewalls, because the number of TCP / IP connections substantially all firewall will detect concurrent, more than a certain number of a certain frequency will be considered Connection-Flood.

Use a proxy attack can maintain a good connection, we are here to send the data, the proxy server to help us forward it to the other side, we can immediately disconnect, agents will continue to maintain and the other connection (I know some people use 2000 record agents produced 350,000 concurrent connections).

Two: how to prevent?
First, the preparatory work
1, log into the VPS control panel, ready at any time to restart the VPS.
2, close the Web Server first, excessive loads can cause behind the operation difficult, or even directly can not log in SSH.
3, just in case, the Web Server system settings to run automatically removed after startup.
(If you have been unable to log into the system, and just after the restart caused by excessive load boot has been unable to log in, www.linuxidc.com can contact the administrator Fengdiao VPS on the base unit's IP or port 80 on the machine tool with Virtual Console log into the system and then operate 2 & 3, after deblocking)

Second, find the attacker IP
1, create a file in the root directory of the site ip.php, writes the following.

< ? Php
$ Real_ip = getenv ( 'HTTP_X_FORWARDED_FOR');
if (isset ($ real_ip)) {
shell_exec ( "echo $ real_ip >> real_ip.txt");
shell_exec ( "echo $ _SERVER [ 'REMOTE_ADDR'] >> proxy.txt");
} Else {
shell_exec ( "echo $ _SERVER [ 'REMOTE_ADDR'] >> ips.txt");
} Echo 'server under attack, attack is being collected, please visit the site in a few minutes, many visits to the site within five minutes may be used as attack vectors seal IP. Thank you! ';
?> 2, set the pseudo-static, all are under the visit to rewrite ip.php.
Nginx rules:

(. *) Rewrite /ip.php;Lighttpd rules:

url.rewrite = (
"^ / (. +) /? $" => "/ip.php"
) 3 Start Web Server to start collecting IP
After finished setting 1 and 2, start Web Server, to start recording the IP information.
Time to collect suggestions for 3-5 minutes, then turn off Web Server again.
real_ip.txt, this file is saved in IP more than 80% of the same, this is the IP attacker attack platform IP.
proxy.txt, this file is saved in the attacker called proxy server IP, require sealing.
ips.txt, where the record is not showing characteristics of proxy servers IP, based on visits to determine whether the source of the attack.

Third, the period of supplementary
If the VPS WEB logging enabled, you can view the growth of the log file to determine which site is being attacked.
If you do not enable logging, and a small number of sites, temporarily enable logging is also very convenient.
If you do not enable logging and excessive number of sites, you can use the temporary Web Server configuration file, not bound virtual host, set a default site. Then add the following line in the ip.php

shell_exec ( "echo $ _SERVER [ 'HTTP_HOST'] >> domain.txt"); Fourth, start blocking IP
Create documents ban.php

$ Num) {
if ($ num> $ threshold) {
$ Ip = trim ($ ip);
$ Cmd = "iptables -I INPUT -p tcp -dport 80 -s $ ip -j DROP";
shell_exec ($ cmd);
echo "! $ ip baned \ n";
$ Ban_num ++;
}
} $ Proxy_arr = array_unique (file ( 'ips.txt'));
foreach ($ proxy_arr as $ proxy) {
$ Proxy = trim ($ proxy);
$ Cmd = "iptables -I INPUT -p tcp -dport 80 -s $ ip -j DROP";
shell_exec ($ cmd);
echo "! $ ip baned \ n";
$ Ban_num ++;
} Echo "total: $ ban_num ips \ n";
?> With the following command script (php command to ensure that the PATH)

php ban.php This script relies on the second paragraph ips.txt in saved results, when one IP number of visits recorded more than 10 times, as the source of the attack was to shield off. If the proxy server, not directly determine the number of sealing.
After sealing IP, all the settings back to normal site, the site can continue to operate normally.

Fifth, some details
In order to maintain the operation of the process described as concisely as possible without adding too much to explain in the above content to stay in this unity about.
1, some of the essence of "proxy server."
Two related TCP & HTTP protocol value, REMOTE_ADDR and HTTP_X_FORWARDED_FOR.
(1) REMOTE_ADDR always taken from IP Web server closest to a host, if not use a proxy, this value is the visitor's own IP, if you use a proxy, this value is the IP of the proxy server, if a plurality of through connection Broker server, this value is the Web server before it reaches the last proxy server IP.
REMOTE_ADDR by the TCP / IP layer decision can not be changed can not be forged.
(2) HTTP_X_FORWARDED_FOR, since this value is part of HTTP part, rather than TCP / IP, so no matter what the value will not affect the data transmission. In fact, under normal circumstances, if the visitor is a direct access to the Web server, this value is empty; through a transparent proxy when this value will be set to the proxy visitor's IP; via anonymous proxy, this value may be IP proxy server may be empty also be random.
HTTP_X_FORWARDED_FOR can be arbitrarily modified. Most proxy servers are transparent proxy, that is to say, this will set the value for the most original visitor IP.

2, CC attack on the settlement of the level of problem
Press processing efficiency from highest to lowest.
(As this article is written for VPS servers, and VPS is simply a substitute for other low-end, memory, and CPU resources of the server is generally low, of course, the higher the efficiency, the better.)
(1) network transport layer. Is used herein iptables, the tool itself is working in the system kernel, the attacker any direct connection to the network when establishing a connection. After this level will attack disposed of, resources consumed almost negligible.
(2) Web Server layer, most of the Web Server can be set up IP access is prohibited. On this layer of meaning and solve the above similar, but the efficiency to be satisfactory.
(3) the script layer, from the script itself to develop appropriate strategies to filter out attack. There are many solutions circulating on the network at this level, but less suitable for VPS, and set the difficulty may have to increase several times or several times.

3, why not collect IP from the log?
Mainly on account of two points, one most VPS users have because the hard disk space is too small, often clear the log a lot of trouble, and directly prohibit the log.
Second, if collect IP from logs, the complexity of the script is much higher, and may have to make some adjustments according to the situation, taking into account the people most want to read this article may not be the purpose of holding more technology, the paper is carried out step by step in accordance with this article operation, you can solve the problem.
     
         
         
         
  More:      
 
- Ubuntu study notes and related problem solving (Linux)
- MySQL & NoSQL - Memcached widget (Database)
- Source encountered problems and solutions when installing SaltStack (Server)
- How to install Docker and basic usage on Ubuntu 15.04 (Server)
- What happens after the MySQL disk space is full (Database)
- Ubuntu Gitolite management Git Server code base permissions (Server)
- Linux centos rm directory does not prompt (Linux)
- QBit development of micro-services (Server)
- SQLite database commonly used sentences and visualization tools on MAC MeasSQLlite use (Database)
- Linux signal and orphans, and zombie process (Programming)
- Netcat Example (Linux)
- MySQL query optimization: profile function (Database)
- MongoDB learning Notes (2) basic connection example of -Nodejs and MongoDB (Database)
- Linux Defensive / mitigate DDOS attacks (Linux)
- Multi-core CPU, multi-threading and parallel computation (Linux)
- Python 3 for instructions encoded string conversion (Programming)
- Install Oracle database error process of [INS-35172] (Database)
- The difference between free command displays the buffers and cache (Linux)
- Ceph cluster disk is no workaround for the remaining space (Server)
- Python function arguments * args and ** kwargs usage (Programming)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.