Analysis and defense of a website after being attacked

Night around 23 o'clock received a large number of monitoring alarm, the company website directly can not access, immediately log on to the server, directly top see the situation as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/54/17/wKiom1R33o2CIglhAAH_T-KD8CQ742.jpg "title=" 509ICG ~L8BBP3) HF (11-27-16-40-01). jpg "alt=" wkiom1r33o2ciglhaah_t-kd8cq742.jpg "/>

found that the load has reached 800, the machine is going to explode, first stop the MySQL, found that the load is a bit down, contact with the development colleagues to view, because today's new online some code, may be the problem of new code, and then see the load is still not down, and then the PHP and Nginx are restarted, Although briefly reduced some, after a while immediately load up again, at this time to see the Nginx log, see is not the user access caused by the problem, the results of a look to find the problem, as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/17/wKiom1R33qWyrnY3AAjSqydwWmA873.jpg "title=" Catch ( 11-27-16-40-01). jpg "alt=" wkiom1r33qwyrny3aajsqydwwma873.jpg "/>

60w+ 's request was made in 30 minutes.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/15/wKioL1R331XyfvTlAABaLA8wHwQ087.jpg "title=" QQ picture 20141127181509.jpg "alt=" wkiol1r331xyfvtlaabala8whwq087.jpg "/>

I find this IP is constantly sending requests, it is obvious that it was attacked, temporarily deny this IP in Nginx, directly returned to it 503, configured as follows: Add

to the server

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/17/wKiom1R33ufBOvfaAAApMj1Nqyg355.jpg "title=" QQ picture 20141127174138.jpg "alt=" wkiom1r33ufbovfaaaapmj1nqyg355.jpg "/>

Load also slowly lowered, service also normal, at that time too late, wash to sleep, the results of the next morning and found that the site can not open, directly look at Nginx log, the attacker changed an IP, with the phenomenon of last night, this time directly at the source to kill him, is to add iptables, as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/15/wKioL1R334OSr2v5AAEr8pgdt3M099.jpg "title=" QQ picture 20141127174523.jpg "alt=" wkiol1r334osr2v5aaer8pgdt3m099.jpg "/>

will attack IP all write iptables inside, and then contact the room to see if can do strategy to help solve this cc attack, finally the computer room over there will also be these IP to seal, but the attacker in the IP to do? It's impossible for him to change one. I add a piece, it seems only a big recruit, wrote a iptables script, as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/17/wKiom1R33xXyQS2tAAEmHF3l-ro822.jpg "title=" QQ picture 20141127174901.jpg "alt=" wkiom1r33xxyqs2taaemhf3l-ro822.jpg "/>

statistics TCP connections, the same IP over 500 TCP connections is definitely the attacker's IP, Normal users can not go to open 500 windows to visit my website, and then this IP directly on the iptables above, now, the problem solved, this CC attack has a feature is that the source IP is basically fixed, DDoS some may be different from the original IP attack, Then this kind of defense seems to be a little hard. How do you defend against different source IP attacks?

First to contact the room, the general computer room has monitoring and defense equipment, so that the room to help solve some problems may be more effective,

Can not be in the iptable above to defend, only through the nginx to defend, let Nginx to identify which is the attacker, which is the real user? In fact, Nginx has 2 modules: Ngx_http_limit_conn_module and Ngx_http_limit_req_module can refer to the official documentation:

Http://nginx.org/cn/docs/http/ngx_http_limit_req_module.html

Http://nginx.org/cn/docs/http/ngx_http_limit_conn_module.html

First defined in HTTP, as follows:
Limit_conn_zone $binary _remote_addr zone=addr:10m;
Limit_req_zone $binary _remote_addr zone=one:10m rate=1r/s;

Then to the directory you need to restrict, in the server section, the general is the PHP request, as follows:

Location ~* ^/(. *) \.php?$ {

Limit_conn Addr 3;
Limit_req Zone=one burst=2 Nodelay;

Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Fastcgi_param script_filename $host _path/$fastcgi _script_name;
Include Fastcgi_params;
}

After applying these 2 rules, as long as these pages need to execute the PHP script, only 3 connections are allowed on the same IP, and only 1 requests per second (burst requests can reach 2).
Although such rules generally do not affect the normal user (very few people in 1 seconds to open 3 pages), but in order to prevent the impact of those deft on hand user access, you can customize 503 pages in Nginx, 503 pages face the user prompts, and then automatically refresh, This parameter can be changed according to your own situation, so that the attacker is able to defend against multiple IPs or a single IP attack.

Like User-agent. The following is the User-agent
mozilla/4.0 (compatible) at the time of a CC attack. MSIE 5.01;   NT 5.0; Myie 3.01) Cache-control:no-store, must-revalidate
Almost no normal browser will be in user-agent with "must-revalidate" keyword. So we can filter by this feature and deny access to all requests with "Must-revalidate" in User-agent:

if ($http _user_agent ~ must-revalidate) {
return 403;
}

Original address:http://www.myjishu.com/?p=240

This article from the "Operation and maintenance of the road" blog, declined to reprint!

Analysis and defense of a website after being attacked