Analysis of CC attack defense security technologies that are more abnormal than DDoS

The predecessor of CC attacks is DDOS attacks (Distributed Denial of attack ). The principles of DDOS attacks against TCP/IP protocol defects cannot be considered as defects, but when the Protocol was designed for decades ago, designers assumed that everyone was a good citizen who followed the rules of the game, now the Internet environment is much more complex than at the time, but it is still using the previous protocol, so it will bring some problems. The communication between the two machines requires a so-called three-way handshake. First, the client sends a request (SYN). After the server receives the request, it fills in the session information table (TCB, saved in memory ), and feedback a response packet (SYN-ACK) to the client, when the connection is in the TIME_WAIT State, if the client does not finally receive the ACK packet, will try to send a response packet SYN-ACK after a while, after multiple retries, the server closes the session and deletes the session from TCB if the client does not respond. The waiting process is about 30 seconds. When an attacker simultaneously initiates a 100,000 request (SYN) to an open port on the server, and itself refuses to send a SYN-ACK response, the server's TCB will soon exceed the load, in addition, attackers can forge the source IP address in the packet so that the attacker will not be blocked by the packet returned by the server. It can be seen that this is a serious problem in the TCP/IP protocol. Data packets are filtered through firewall policy audit to prevent DDOS attacks to a certain extent.

CC attacks and DDOS attacks are essentially the same, all for the purpose of consuming server resources. Currently, it seems that they are mainly used for crazy requests where WEB applications consume resources. For example, if the search function in the Forum is not restricted, the MYSQL service will be suspended when the common configuration server has hundreds of concurrent requests.

There are three types of CC attacks: direct attacks, proxy attacks, botnet attacks, and direct attacks mainly target WEB applications with important defects, generally, this problem occurs only when there is a problem with program writing, which is rare. BotNet attacks are a bit similar to DDOS attacks and cannot be prevented from the WEB application layer. Therefore, we will not discuss these two cases in depth. Here we will mainly discuss the second one, proxy attacks: CC attackers generally operate on a batch of proxy servers, for example, 100 proxies, and then each proxy sends 10 requests at the same time, so that the WEB server receives 1000 concurrent requests at the same time, after a request is sent, the connection to the proxy is immediately disconnected to prevent the data returned by the Proxy from blocking its own bandwidth, and the request cannot be initiated again, at this time, the WEB server will queue the processes that respond to these requests, and the database server will also do the same. As a result, normal requests will be placed very late and processed, just as when you went to the canteen for dinner, there were usually less than 10 people in the queue, but today there were one thousand people in front of them, so the chances of your turn would be very small, in this case, the page is very slow or white.

Defense Against CC attacks

Discuz! 5.5 based on the past anti-CC attack, two methods are added. You can combine appropriate methods based on the actual attack situation. I will briefly describe the configuration method, but will not elaborate on the confrontation principle in detail.

Configuration file config. inc. php

$ Attackevasive = 0; // Forum defense level, which can prevent DoS attacks caused by a large number of abnormal requests // defends against DoS attacks caused by a large number of normal requests, // 0 = disabled, 1 = cookie refresh restriction, 2 = restrict proxy access, 4 = second request, 8 = answer question (answer question when the first access is required) // The combination is: 1 2, 1 4, 2 8, 1 2 4...

Normally, it is set to 0. When attacked, it analyzes the attack methods and rules and combines them. You can try to set it to 2, 2 4, 1 2 4, 1 2 4 8, if 1 2 4 4 8 still does not work, we think the application layer can no longer resist, the host may be attacked by a botnet DDOS attack. We recommend that you start with the firewall policy.